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Abstract 


In the formal modelling of systems, demonic and angelic nondeterminism play fun¬ 
damental roles as abstraction mechanisms. The angelic nature of a choice pertains to 
the property of avoiding failure whenever possible. As a concept, angelic choice first 
appeared in automata theory and Turing machines, where it can be implemented via 
backtracking. It has traditionally been studied in the refinement calculus, and has 
proved to be useful in a variety of applications and refinement techniques. Recently 
it has been studied within relational, multirelational and higher-order models. It has 
been employed for modelling user interactions, game-like scenarios, theorem proving 
tactics, constraint satisfaction problems and control systems. 

When the formal modelling of state-rich reactive systems is considered, it only 
seems natural that both types of nondeterministic choice should be considered. How¬ 
ever, despite several treatments of angelic nondeterminism in the context of process 
algebras, namely Communicating Sequential Processes, the counterpart to the an¬ 
gelic choice of the refinement calculus has been elusive. 

In this thesis, we develop a semantics in the relational setting of Hoare and 
He’s Unifying Theories of Programming that enables the characterisation of angelic 
nondeterminism in CSP. Since CSP processes are given semantics in the UTP via 
designs, that is, pre and postcondition pairs, we first introduce a theory of angelic 
designs, and an isomorphic multirelational model, that is suitable for characterising 
processes. We then develop a theory of reactive angelic designs by enforcing the 
healthiness conditions of CSP. Finally, by introducing a notion of divergence that can 
undo the history of events, we obtain a model where angelic choice avoids divergence. 
This lays the foundation for a process algebra with both nondeterministic constructs, 
where existing and novel abstract modelling approaches can be considered. The UTP 
basis of our work makes it applicable in the wider context of reactive systems. 
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Chapter 1 
Introduction 


In this chapter we discuss the motivation and objectives underlying our work on a 
semantic model for ICSPI processes with angelic nondeterminism. Furthermore, we 
provide an overview of all semantic models of interest in the context of this thesis 
and their relationships. Finally, an outline of this document’s structure is presented. 


1.1 Motivation 

In an increasingly connected world, where software-driven systems are ubiquitous, 
it is imperative that their behaviour is rigorously studied. Since the software crisis 
of the seventies [ 3 j, significant attention has been devoted to this problem with 
the development of several theories, techniques and tools. The earliest contribu¬ 
tions can be found in the works of Floyd, Hoare and Dijkstra. In 1967, Floyd [5] 
proposed techniques for rigorously characterizing and analysing programs specified 
as flowcharts, by considering propositions associated with the entrance and exit of 
commands in the flowchart, akin to pre and postconditions. Hoare [6] would later 
propose a formal system, known as Hoare logic, capable of proving partial correct¬ 
ness of program statements for a sequential programming language. Inspired by 
Hoare’s work, Dijkstra [7] introduced weakest precondition semantics with his lan¬ 
guage of guarded commands, an imperative language that allows for the existence 
of repetitive and nondeterministic constructs. 

As systems present several aspects of interest, ranging from the intended func¬ 
tional behaviour to the actual operating environment, modelling approaches focus 
on specific properties of interest, at suitable levels of abstraction. For instance, 
there are several formal notations catering for the specification of functional beha¬ 
viour, such as Z [8J [9j, Object-Z [TO] , Vienna Development Method (IV DM1) [IT], 
Abstract State Machine (1ASM|) jT21 fI3] and B [HJ [15]. Concurrent and reactive 
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systems have also been extensively studied with formalisms such as Communicating 
Sequential Processes (1CSPD [HBHTB] , Calculus of Concurrent Systems (1CCSD [19] and 
Algebra of Communicating Processes (lACPjl [2D] , Several works have also focused 
on combining both state-based and concurrent formalisms as found in the literat¬ 
ure uniEM- 

The successful characterisation of a particular system relies on appropriate ab¬ 
straction mechanisms being available, such that a system can be decomposed into 
manageable parts with the appropriate level of detail. Formal specifications are, in 
this sense, at the very top of the hierarchy, and provide the highest-level and most 
abstract model of a system. Since the foundational works of Back [28], Morris [29] 
and Morgan pi, however, it has been possible to consider both specifications and 
programs within the same formal model. 

An essential abstraction mechanism that is pervasive across modelling approaches 
is that of nondeterministic choice. It can be used to specify purely nondetermin- 
istic behaviour, such that no particular choice is guaranteed, but also to describe 
concisely a set of choices, such that, if there are options that lead to success, they 
are guaranteed to be chosen. The former is traditionally referred to as being de¬ 
monic, while the latter is referred to as angelic. Operationally, both nondeterministic 
choices embody some notion of failure, and success. 

Demonic choice has traditionally been used for the underspecification of beha¬ 
viour, and plays an essential role in the contractual approach between users and 
developers. In the context of refinement, the behaviour of a specification can be 
made more deterministic while adhering to the externally observable behaviour. In 
other words, given a particular set of choices, the user is unable to force any particu¬ 
lar choice and must accept any subset, including failure, if this is a possibility. This 
corresponds to the semantics of nondeterminism in Dijkstra’s [7] guarded commands, 
and internal choice in ICSPI |l7j . for example. 

On the other hand, angelic choice is driven by success. Given a set of choices, as 
long as there is at least one choice that leads to success, then the angel can achieve a 
satisfying outcome. Thus, operationally, angelic nondeterminism can be interpreted 
as a backtracking mechanism. Indeed this is similar to the underlying concept 
involved in searching for solutions in a given space. Another typical application of 
this concept can be found in the context of nondeterministic finite state automatons, 
where acceptance is successful if, and only if, the system reaches an accepting state. 

The concept of angelic nondeterminism has traditionally been studied in the 
refinement calculus P2H3HE21, where angelic choice is defined as the least upper 
bound of the lattice of monotonic predicate transformers. Its dual is demonic choice, 
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which is defined as the greatest lower bound of the lattice. In [32, 21] the least 
upper bound is used to define logical variables, which enable the postcondition of 
a specification statement to refer to the initial value of a program variable. This is 
central to the refinement technique of Gardiner and Morgan [33], and, in particular, 
to their calculational data-refinement approach. 

In [32] Rewitzky introduces binary multirelations for modelling both forms of 
nondeterminism. Unlike relational models, which relate initial states to final states, 
multirelations relate initial states to sets of final states. A number of models are ex¬ 
plored in [3B], of which the model of upward-closed binary multirelations is the most 
important as it has a lattice-theoretic structure. A generalised algebraic structure 
has also been proposed by Guttmann B 3 , where the monotonic predicate trans¬ 
formers and multirelations are characterised as instances. 

Cavalcanti et al. [33jJ have proposed a predicative encoding of binary multirela¬ 
tions in the context of Hoare and He’s [22] Unifying Theories of Programming flUTPIh 
a relational framework suitable for characterising several programming paradigms. 
This is achieved by encoding program variables as record components. First an iso¬ 
morphism is established between the new IUTPI model and a set-based relational 
model. Afterwards an isomorphism is established between the set-based model 
and the monotonic predicate transformers. Finally an isomorphism is established 
between the predicate transformers model and upward-closed binary multirelations. 
This is then used to establish the correspondence between the semantics of state¬ 
ments in the predicate transformers model and in the proposed IUTPI model. 

Angelic choice has also been considered at the expression, or term, level by 
Morris [40, |4T]. In [41], an axiomatic basis is presented for defining operators for 
both angelic and demonic nondeterminism within a term language. Each type is 
represented as a partially ordered set, and an ordering is given. This is then lifted 
into a Free Completely Distributive (IFCDD lattice where the refinement relation 
corresponds to the ordering relation imposed on the type, demonic choice is the 
meet, and angelic choice is the join. In [40] this model is shown to be isomorphic 
to higher-order models of predicate transformers, binary multirelations and state 
transformers. While it is possible to cast typical sequential programming constructs 
into this theory, its focus is on functional languages. Hesselink [42] further studies 
this model and provides a different construction of the FCD. 

In [43j, Tyrrell et ah, inspired on the previous work on the IFCDl bv Morris [41] . 
provide an axiomatization for an algebra, similar to CSP, where external choice 
is referred to as “angelic choice”. The definitions are then lifted from a partially 
ordered set into the FCD lattice. Just as the authors point out, this model is 
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quite different from the traditional ICSPI model whose complete semantics is based 
on failures-divergences mum In the model proposed, Stop is the bottom of the 
refinement ordering, rather than divergence. Thus, it is impossible to distinguish 
divergence from deadlock. 

Roscoe [IS] has proposed an angelic choice operator P{P] Q through an operational 
combinator semantics for CSP. It is an alternative to the external choice operator 
of ICSPI that behaves as follows: as long as the environment chooses events offered 
by both P and Q, then the choice between P and Q is unresolved. The possibility 
of divergence or otherwise has no effect on the choice. 

Despite the various models where angelic nondeterminism is employed in the 
context of process algebras, and the different semantics considered in the literat¬ 
ure mi mg, the counterpart to the angelic choice of the refinement calculus has 
been elusive. The notion of failure of interest here is that of divergence as required 
for a characterisation of angelic nondeterminism in the context of state-rich reactive 
systems for both data and behavioural refinement. 

The lUTPl of Hoare and He |39| provides an ideal framework to study the concept 
of angelic nondeterminism in a theory of ICSPI [591 Hj . The IUTPI is a predicative 
framework of alphabetized relations suitable for characterising different program¬ 
ming aspects, such as functionality, concurrency, logic programming, higher-order 
programming, object-orientation [4SJ0SI, pointers m, time [18H5U] and others. It 
supports the engineering of theories by enabling results to be related through linking 
functions, while allowing different concerns to be studied in isolation. The theory of 
designs ii, which characterises total correctness, is one of the most important. 
In general, a IIJTPI theory is a complete lattice where we can use joins and meets to 
model dual choices. 

While sequential computations can be characterised by a relation between their 
initial and final states, the formal characterisation of reactive systems requires a 
richer model that accounts for the continuous interactions with their environment. 
In the IUTPI this is achieved through the theory of reactive processes [39, M]. To¬ 
gether with the theory of designs, these two theories enable the specification of ICSPI 
processes in an assertional style, that is, in terms of designs that characterise the 
pre and postcondition of processes. 

The theory of angelic nondeterminism presented in [38] is a starting point for 
the development of a model of ICSPI with both nondeterministic constructs. How¬ 
ever, this model is focused on correctness of sequential programs and is not directly 
applicable to reactive processes. It is an encoding that caters for termination, so 
that designs are not considered as a separate theory. 
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In summary, a suitable treatment of angelic nondeterminism is yet to be con¬ 
sidered in the context of process algebras for state-rich reactive systems. The IUTPI 
presents itself as a natural domain for the development of such a model, as existing 
theories, and their results, can be easily exploited. Our hypothesis is as follows. 

Research Hypothesis 

A model can be defined to give a semantics to \CSP\ that 
caters for both angelic and demonic nondeterminism, that 
is applicable in the wider context of any algebra of state- 
rich reactive systems for refinement, and that preserves 
the existing semantics of \CSP\ processes, particularly 
within the subset of nondivergent processes. 

This concludes the discussion of the motivation underlying our work. In what follows 
we discuss the objectives in more detail. 


1.2 Objectives 

As already mentioned, the overall objective of our work is to define a semantic 
model suitable for state-rich process algebras, and ICSPI in particular, where both 
nondeterministic choices can be expressed. In contrast with some of the existing ap¬ 
proaches [43], we do not intend to propose an entirely new semantic model for ICSP 
rather we aim to extend the current model while conserving the existing semantics. 
Therefore, our construction must be appropriately justified in the context of the 
existing model [58. f35]. 

With this in mind, the IUTPI framework and its ICSPI model provide a solid 
basis for studying the concept of angelic nondeterminism in the context of process 
algebras. We also observe that a llJTPI theorv is a complete lattice where both angelic 
and demonic choice can be modelled as the meet and join, respectively. 

The IUTPI supports work in the wider context of semantic models that consider 
behaviour and other aspects, such as data, security, mobility, and so on. Examples 
of such heterogeneous semantic models built using the IIJTPI include Circus [22], 
which combines ICSPI with the Z specification language. Our aim to is to enable 
such semantic models to benefit from our treatment of angelic nondeterminism. 

We also aim to enable existing modelling approaches and refinement techniques 
to be reused. This is central to the relevance and applicability of our semantic model. 
An important factor in IUTPI theories, for example, is that the refinement order is 
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common across all theories. Our emphasis on maintaining a compatible semantics 
is essential in order to enable the scenario of reusing existing refinement techniques. 

Our goal ultimately consists in developing a conservative extension of the ICSPI 
theory [3D, 03] through a predicative encoding of multirelations that is suitable 
for characterising ICSPI processes. Of particular importance is the treatment of 
divergence where angelic choice can avoid potentially divergent processes. We seek 
a theory of ICSPI with both angelic and demonic nondeterminism, which is applicable 
to any algebra of state-rich reactive processes. In the following section we discuss 
our theories, by showing their relationship with other semantic models of interest, 
namely ICSPI 


1.3 Overview of Semantic Models 

In this section we provide an overview of all the semantic models of interest in the 
context of our work. This includes both existing models as well as those we propose. 

In the IUTPI [3DJ theories are characterised by three components: an alphabet, 
which is a set of variables available for recording the observations of programs in 
a particular paradigm, including program variables; a set of healthiness conditions, 
which are idempotent and monotonic functions, usually with a name written in 
boldface, whose fixed points are the the valid predicates of a theory; and a set of 
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operators. For a relation P, the alphabet is split into two disjoint subsets, ina(P) 
which contains undashed variables corresponding to the initial observations, and 
outa(P) containing dashed counterparts for after or final observations. 


Each theory of interest is depicted in Figure 1.1 and also individually in the 


subsequent Figures |1.2| to |1.6[ by an ellipse, and labelled according to the name 
of its characterising healthiness condition. Subset theories correspond to enclosed 
ellipses. While the formal definition of each healthiness condition is deferred to 


later chapters, in Tables 1.1 to 1.6 we informally describe the healthiness conditions 


of each theory. In Figure [LT] arrows denote linking functions established between 
theories. Pairs of solid arrows denote isomorphic models, while pairs with a dashed 
arrow indicate an adjoint (that is part of a Galois connection). 

In the next Section 1.3.1 we describe the theory of designs. Section [I.3.2 focuses 
on the theory of ICSPI as reactive designs. In Section [1.3.3 we discuss the relationship 
between the theory of binary multirelations, the predicative encoding of |38j . and 


the relationship with our theory of extended binary multirelations. In Section 1.3.4 


we discuss our theory of angelic designs, which is the basis for extending the concept 
of angelic nondeterminism to ICSPI through the theory of reactive angelic designs, 


summarized in Section 1.3.5 Finally, Section 1.3.6 discusses our theory of angelic 
processes. 


1.3.1 Designs 

Since ICSPI processes are expressed in the IUTPI through reactive designs, the first 
theory of interest is that of designs, which models total correctness. Designs are 
relations whose alphabet contains not only program variables, but also auxiliary 
Boolean variables to capture termination. Its characterising healthiness conditions 


are HI and H2, whose composition is called H. as summarized in Table 1.1 In 



Description 

HI 

Meaningful observations can only be made once a design has been started. 

H2 

A design may not require non-termination. 

H3 

A design must have arbitrary behaviour when it does not terminate. 


Table 1.1: Healthiness Conditions of Designs 


general, this is a theory that encompasses programs whose preconditions can refer to 
the after or final observations of a computation. As a consequence these observations 
can be ascertained irrespective of termination. Such designs do not satisfy the 
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Figure 1.2: Theories of designs and reactive designs 


healthiness condition H3. This is precisely the case when characterising a ICSPI 
process through reactive designs, such as a —>■ Chaos , whose precondition requires 
that no after observation of the trace of events is prefixed by the event a otherwise, 
it diverges. 

The subset of designs whose preconditions may not refer to the after or final 
observations of a computation is characterised by H3. These designs correspond to 
standard pre and postcondition pairs as found in notations like Z PJ and IVDMI [TTj . 

In the context of our work, we consider a theory of designs whose relations are not 
homogeneous, that is, their input and output alphabet differ. This is because of the 
multirelational nature of our encoding of angelic nondeterminism. In Figure 1.2 we 


highlight the theories of homogeneous and non-homogeneous designs in the context 
of other theories previously depicted in Figure 1.1| 


1.3.2 CSP Processes as Reactive Designs 

The second theory of interest is that of reactive processes, whose combination with 
the theory of designs provides the characterisation of ICSPI processes in the IIJTPl In 
the theory of reactive processes the alphabet is extended with observational variables 
to record the interactions with the environment: a trace of events, a set of events 
refused, and a Boolean variable that records whether the process is waiting for an 


interaction. Its healthiness conditions, which we informally describe in Table 1.2 
are Rl, R2 and R3, whose functional composition is R. 
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Description 

R1 

A process can only extend the trace of events. 

R2 

A process must be insensitive to the initial trace of events. 

R3 

A process must only start executing once any previous interactions with 
the environment have finished. 

R 

Functional composition of Rl, R2 and R3 that characterises reactive 
processes. 

Table 1.2: Healthiness Conditions of Reactive Processes 


In order to characterise ICSPI processes, another two healthiness conditions are 
necessary. They are CSP1 and CSP2, whose informal description is included 
Together, these healthiness conditions allow the characterisation 


in Table 1.3 



Description 

CSP1 

A process that is in a divergent state can only extend the trace of events. 

CSP2 

A recast of H2 within the model of reactive processes. 


Table 1.3: Healthiness Conditions of CSP Processes 


of ICSPI processes as the image of designs through the function R [39|, j33|, that 
is, in terms of pre and postcondition pairs. 

Since it is our goal to keep the semantics unchanged for the subset of nondivergent 
processes, in each theory of processes that we study, we identify such a subset. This 
is characterised by the healthiness condition ND, which is tailored to the theory 
of interest by adding a subscript corresponding to the characterising healthiness 
condition of the theory it applies to. 


1.3.3 Binary Multirelations and their UTP Encoding 


To achieve our goal we have developed a predicative encoding of multirelations 
suitable for characterising processes. Our starting point was the predicative encoding 
of Cavalcanti et al. [3E], whose theory is characterised by the healthiness condition 
PBMH. This is essentially a predicative version of BMH. that characterises a 
set-based model of upward-closed binary multirelations [35] . 

In [38] the authors establish that both models are isomorphic through a stepwise 
construction of models, as previously discussed in Section |1.1[ This is achieved 


through the composition of the linking functions, sb2p o bm2sb and sb2bm o p2sb, 
which we include in Figures [TT and L3 for completeness. The first contribution of 
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Figure 1.3: Theories related to binary multirelations 


this thesis is a theory of extended binary multirelations that caters for potentially 
non-terminating computations. This theory is isomorphic to the theory of angelic 
designs, which we describe in the next section. It is characterised by the healthiness 
condition BMHj_, which corresponds to the conjunction of BMHO, BMH1 and 
BMH2 as described in Table |1.4| Finally, we establish that the subset of BMH3 



Description 

BMHO 

The set of final states must be upward-closed. 

BMH1 

Similarly to H2 forbids the specification of non-termination. 

BMH2 

Appropriately characterises two complementary notions of abortion. 

BMH3 

Characterises the subset of BMHi that is isomorphic to the original 
theory of binary multirelations. 

BMHi 

Conjunction of BMHO, BMHI and BMH2. 


Table 1.4: Healthiness Conditions of Extended Binary Multirelations 


multirelations is isomorphic to the original theory of binary multirelations, via the 
pair of linking functions bmb2bm and bm2bmb. In general, a Galois connection can 


also be established between BMHj_ and BMH. Figure 1.3. which highlights the 
theories in the context of Figure [Li, illustrates these connections. 
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1.3.4 Angelic Designs 

Our approach for developing a model of ICSPI with angelic nondeterminism closely 
follows that of the lUTPl model of lCSPl Based on the the encoding proposed in [38] . 
we have developed a theory of angelic designs where we reintroduce the auxiliary 
Boolean variables of the original theory of designs. Furthermore, we also generalise 
that model to cope with non-H3 designs, as required for specifying ICSPI processes. 
This theory is characterised by the healthiness conditions AO and Al, whose func¬ 
tional composition is A (as described in Table 1.5), and HI and H2 of the original 
theory of designs. 



Description 

AO 

Whenever the precondition of a design is satisfied, then the set of angelic 
choices must not be empty. 

Al 

The set of angelic choices must be upward-closed. 

A2 

Characterises the subset of relations that effectively do not have any 
angelic choices. 

A 

Functional composition of AO and Al 


Table 1.5: Healthiness Conditions of Angelic Designs 


The additional healthiness condition A2 characterises the subset of A-designs 
that do not exhibit angelic nondeterminism. This is useful to establish that the 
subset of A2 angelic designs is isomorphic to the original theory of homogeneous 
designs, via the linking functions d2ac and p2ac. In general, these adjoints also 
enable a Galois connection to be established with the set of A-designs. As part 
of validating our approach, we also establish that the subset of angelic designs 
that is H3-healthy is isomorphic to the theory of PBMH |38J. This is achieved 
by introducing two linking functions, d2pbmh and pbmh2d, that map predicates 


in that theory to angelic designs, and vice versa. In Figure 1.4 we highlight the 


theory of angelic designs in the context of Figure L_1 and show its relationship with 
the PBMH theory, the extended theory of binary multirelations, and the original 
theory of homogeneous designs. 

In addition, and as already discussed, we have developed an extended set-based 
model of binary multirelations that is isomorphic to A-healthy designs. This com¬ 
plementary model is useful to understand the implications of non-homogeneous re¬ 
lations and also to validate certain aspects of the model of angelic designs, such as 
the notion of sequential composition, which is not entirely trivial in the context of 
a predicative encoding of multirelations. We establish that these two models are 
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Figure 1.4: Theory of angelic designs and links 


isomorphic through the pair of linking functions bmb2d and d2bmb. 


1.3.5 Reactive Angelic Designs 

Having established a theory of angelic designs, we introduce a conservative extension 
of ICSPI with angelic nondeterminism. This is achieved by considering an encoding 
of the observational variables of reactive processes, based on that used for angelic 
designs, and expressing every healthiness condition of ICSPI with this encoding. For 
each healthiness condition Rl, R2, R3, CSP1 and CSP2, we introduce a coun¬ 


terpart in this model, as summarized in Table L6 The theory is characterised by 
RAD, which is defined by the composition of all healthiness conditions of interest, 
including PBMH that guarantees upward-closure for the sets of final states. As 
part of our validation approach, we establish that the subset of RAD with no an¬ 
gelic nondeterminism, characterised by A2, is isomorphic to the theory of ICSPI 
This is achieved by introducing the linking functions ac2p and p2ac. In general, 
if we consider the superset RAD, a Galois connection exists between the theories. 


This relationship is illustrated in Figure 1.5 


The theory of reactive angelic designs corresponds to a natural extension of 
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Description 

RA1 

There must be some set of angelic choices available to the angel, and 
in any such set, the trace of events can only be extended. 

RA2 

A process must be insensitive to the initial value of the trace of events. 

RA3 

A process must not start executing before its predecessor has stopped 
interacting with its environment. 

RA 

Functional composition of RAl, RA2 and RA3. 

CSPA1 

When in an unstable state, RAl must be enforced. 

CSPA2 

A recast of H2 within this model. 

RAD 

Functional composition of all of the above healthiness conditions and 

PBMH. 

NDrad 

Characterises the subset of non-divergent reactive angelic designs. 


Table 1.6: Healthiness Conditions of Reactive Angelic Designs 


the ICSPl theory with both angelic and demonic nondeterminism. In this theory it is 
possible to establish that angelic choice avoids divergence. For example, the angelic 
choice a —» Chaos U b —> Skip becomes a —> Skip, provided that a and b are equal. 
However, since RA1 requires under all circumstances that no trace of events may 
be undone, if a and b are different events, then the possibility to observe the event 
a cannot be entirely excluded, and so divergence is still a possibility. In order to lift 
this restriction we have relaxed RA1 in case of divergence, which is the motivation 
for the theory of angelic processes that we discuss in the next section. 



Figure 1.5: Theory of reactive angelic designs and links with CSP 
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1.3.6 Angelic Processes 


In order to allow angelic choice to exclude potentially divergent processes, we relax 
the theory of reactive angelic designs by allowing the history of events to be undone 
whenever there is the potential to diverge. This is achieved by not enforcing RA1 
in all cases. Therefore, we redefine RA3 to cope with this fact as RA3ap, and 


define the healthiness condition of this theory as AP, as summarized in Table 1.7 



Description 

RA3ap 

A recast of RA3 in the theory of angelic processes. 

AP 

Functional composition of RA3ap, RA2, A and, HI and H2 of the 
theory of designs (with the corresponding alphabet of this theory). 

ND ap 

Characterises the subset of non-divergent angelic processes. 

Table 1.7: Healthiness Conditions of Angelic Processes 


The consequence of the functional composition underlying AP is that this model 
is effectively a theory of angelic designs, where RA1 is only required in the post¬ 
condition. This is a direct consequence of the definition of A, as it requires that the 
set of angelic choices in the postcondition of an A-design is not empty. 


hx. 



Figure 1.6: Theory of angelic processes and link with reactive angelic designs 


The resulting theory is more generic than that of reactive angelic designs, since 
it does require RA1. As part of our validation approach, we establish a Galois 
connection with the theory of reactive angelic designs, and also prove that an iso¬ 
morphism exists with respect to the subsets of non-divergent processes, characterised 
by NDrad and NDap, respectively. This is achieved by turning reactive angelic 
designs into designs, through HI, while in the opposite direction we just enforce 


RA1. These links are depicted in Figure 1.6 where we highlight both theories in 
the context of Figure 1.1| 
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A detailed account of all the new theories is presented in the sequel as described 
below. 


1.4 Outline 


In Chapter [2j we provide an overview of the concept of angelic nondeterminism as 
found in the literature. In addition, we discuss the most important semantic models 
in the context of our work by introducing: weakest precondition semantics, binary 
multirelations, the lUTPl and the existing models of ICSP1 

Chapter [3] presents the extended model of binary multirelations that handles 
non-terminating computations. We introduce the healthiness condition BMHx as 
well as the most important operators of this theory. Finally, we establish its rela¬ 
tionship with the existing model of binary multirelations via linking functions (see 


Figure 1.3) 


Chapter [4] introduces the theory of angelic designs, the first new IUTPI theory 
developed in this thesis. We introduce the alphabet of the theory, followed by the 
healthiness conditions AO to A2. The relationship with the extended model of 
binary multirelations is studied before introducing the most important operators. 
We conclude this chapter by studying the relationship of the subset of angelic designs 
that are H3-healthy and the PBMH theory of |BSj- 

In Chapter [5] the theory of reactive angelic designs is presented. This is a nat¬ 
ural extension of the IUTPI model of ICSPI in the context of a theory with angelic 
nondeterminism, where the healthiness conditions of ICSPI are expressed using this 
new encoding. The resulting healthiness condition is RAD. Finally, we discuss the 
operators and study the link with the existing theory of reactive designs. 

Our final contribution is found in Chapter [6j where we present the theory of 
angelic processes, whose healthiness condition is AP. This chapter concludes by 
exploring the relationship with the theory of reactive angelic designs and the main 
algebraic properties. 

Finally, in Chapter [7] we summarize the main contributions of this thesis and 
further contextualize our work. We conclude with pointers for future work. 
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Chapter 2 

Angelic Nondeterminism 


In this chapter we provide an account of angelic nondeterminism as found in the lit¬ 


erature, and introduce the foundations upon which our theories are built. Section 2.1 


discusses the concept of angelic nondeterminism and its applications. In Section 2.2 


we introduce Dijkstra’s weakest preconditions and the predicate transformers of the 


refinement calculus. Section 2.3 introduces Rewitzky’s theory of binary multire¬ 
lations. In Section 2A we provide an introduction to the IIJTPI of Hoare and He. 
Finally, Section 2J3 contains a short introduction to ICSPI and a discussion on the 
different semantic approaches to characterising angelic nondeterminism in ICSPI 


2.1 Definition and Applications 

The earliest use of angelic nondeterminism can be found in the theories of com¬ 
putation, more specifically in automata theory 1521 and Turing machines [53] . For 
example, in pushdown stack automata, the addition of nondeterminism enables the 
automaton to accept arbitrary context-free languages [51], while for Turing ma¬ 
chines it helps characterise the class of NP-problems |53j whose solutions can be 
found efficiently given an angelically nondeterministic machine. 

Angelic nondeterminism has been used as a specification and programming con¬ 
struct in several applications, including parsing [55], modelling of game-like scen¬ 
arios [32] and user interactions, theorem proving tactics [53,157], constraint program¬ 
ming [58] . logic programming [59] and others. These are problems where finding 
solutions often involves a combination of search and backtracking. For instance, in 
Angel [53 E7 ], theorem proof tactics can be combined through angelic choice, such 
that failure leads to backtracking. 

While this is a perfectly reasonable interpretation of angelic choice, backtracking 
is not the only possibility, nor is it always desired. Irrespective of the actual opera- 
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tion of an angelic choice, its distinguishing feature across the different applications is 
its capability to provide a high degree of abstraction while still guaranteeing success. 

Already in 1967, Floyd [60] envisioned angelic choice as a mechanism for the ab¬ 
stract specification of algorithms, with actual executable programs being produced 
mechanically, perhaps by a compiler. In the context of his formal characterisation 
of programs as flowcharts, Floyd introduced explicit nondeterministic choice points, 
and appropriate notions of success and failure, in order to avoid implementation de¬ 
tails of particular execution strategies. Although angelic nondeterminism is usually 
interpreted operationally as a backtracking mechanism, it can also be implemented 
through some form of parallelism [6Tj. 

Almost at the same time, important contributions were being made to the the¬ 
oretical understanding of programs. In 1969, Hoare proposed his formal system for 
proving partial correctness in the context of sequential programming languages [6]. 
While in 1975 Dijkstra [71162] introduced his language of guarded commands, an im¬ 
perative language with repetitive and nondeterministic constructs. Unlike Floyd’s 
choice points, Dijkstra’s nondeterministic choice was no longer angelic. 

Dijkstra [3162] fundamentally changed the approach to establishing total correct¬ 
ness by calculation through his weakest precondition semantics. His model restricted 
itself to feasible programs by excluding the existence of miracles (with the so called 
“Law of the Excluded Miracle’''). Miracle is the theoretical counterpart to abort and 
corresponds to the infeasible program that can never be executed, while abort rep¬ 
resents the worst possible program whose behaviour, in the context of a theory of 
total correctness, is completely arbitrary. 

When Back [261 [62], Morris [29] and Morgan [31] introduced the refinement 
calculus, miracles were introduced back into their models. This enabled their models 
to become more generic, and paved the way for the development of models that are 
complete lattices under the refinement order. The most important was, perhaps, the 
lattice of monotonic predicate transformers where angelic and demonic choice are 
modelled as the least upper bound and greatest lower bound of the lattice. Back and 
von Wright [32] extensively studied sublattices, where choice can be either angelic 
or demonic. They have also considered angelic nondeterminism in the context of 
game-like scenarios and modelling of user interactions. 

Angelic choice also plays a significant role amongst data refinement techniques, 
such as that of Gardiner and Morgan [33], where the least upper bound is used to 
define logical variables. These enable the postcondition of a specification statement 
to refer to the initial value of a program variable. 

Ward and Hayes, in their work [6T] on applications of angelic nondeterminism, 
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clearly emphasize that unlike Floyd’s choice points, the angelic choice of the re¬ 
finement calculus can “look ahead” and guide choices to avoid divergence, if at all 
possible. This is not restricted to explicit choice points, but rather applies to any 
angelic construct, such as the angelic assignment of values to program variables, 
which they explore in the refinement of programs from high-level specifications. 


In the context of theories of total correctness, computations can also be specified 
through relations between initial states and final states. This is the notion adopted in 
formal notations like Z [8] an d lYDMl [TT]. where there is an explicit relation between 
the initial and final value of a computation. However, as Back [32] and Cavalcanti 
et al. Pj have noted, relations can only capture one type of nondeterminism, either 
angelic or demonic, but not both. 

When Cavalcanti et al. |64j proposed the introduction of angelic nondeterminism 
into the relational setting of Hoare and He’s IIJTPl [32], a multirelational encoding 
had to be considered. They first established that, in general, IIJTPl relations are 
isomorphic to conjunctive predicate transformers. Their solution to the problem 
consisted in defining a predicative encoding of Rewitzky’s [33] upward-closed binary 
multirelations, which is the basis for the work that we describe in this thesis. 


As already mentioned, Rewitzky’s [35] multirelations are relations between ini¬ 
tial states and sets of final states. In [36] several models of binary multirelations 
are considered, of which the model of upward-closed multirelations is the most im¬ 
portant due to its lattice-theoretic structure. In this model, the refinement order 
is reverse subset inclusion, and angelic and demonic choice correspond to set union 


and intersection, respectively. We discuss this model in more detail in Section 2.3 


More recently, Guttmann [37] has proposed a generalised algebraic structure 
that has both the monotonic predicate transformers and multirelations as instances. 
Guttmann has also extensively studied the relational properties of multirelations, 
and proposed an extension catering for non-terminating computations [65] in the 
setting of general correctness. This involves extending the set of final states to 
record whether a computation does not terminate: a similar idea is used in our 
extended model of binary multirelations [3] where we record whether a computation 
may not terminate and still establish some final value. This model is part of the 
first contribution of this thesis and is discussed in detail in Chapter [3] 


In Section 2.5 we come back to the topic of angelic nondeterminism by reviewing 


the existing approaches to characterising angelic nondeterminism in ICSP1 Next we 
introduce Dijkstra’s weakest precondition semantics. 
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2.2 Weakest Preconditions 

As already discussed, one of the earliest treatments of total correctness is due to Dijk- 
stra [3 Eg, through his language of guarded commands and weakest precondition 
semantics. The underlying idea is that for each program statement S and post¬ 
condition q, it is possible to establish the weakest precondition wp(S , q ), such that, 
starting S in a state satisfying wp(S, q ) achieves postcondition q. A weakest precon¬ 
dition characterises all possible initial states that lead to successful termination with 
the postcondition holding. In Dijkstra’s model (ZU52], predicates are characterised 
by functions on all points of a state space, which in his original presentation E2] are 
defined through Cartesian products. 

If we consider the program Skip, which does not change the state and always 
terminates successfully, its weakest precondition semantics is defined as follows. 

Definition 1 wp(Skip, q) = q 

That is, the weakest precondition corresponds exactly to the intended outcome q. 
A simple assignment statement, where a program variable x is assigned the value of 
an expression e, is given semantics for a postcondition q as follows. 

Definition 2 wp(x := e, q) = q[e/x] 

In other words, the weakest precondition of the assignment is given as the substitu¬ 
tion of expression e for variable x in the corresponding postcondition q. 

In general, not all possible weakest preconditions are valid, in the sense that the 
semantic model must obey certain fundamental properties of interest, such as mono¬ 
tonicity. In what follows, we review the original properties of Dijkstra’s model [52] . 

2.2.1 Healthiness Conditions 

Dijkstra’s semantics [52] insist on four healthiness conditions, which we discuss in 
this section. The first property, reproduced below, corresponds to the u Law of the 
Excluded Miracle ”, which forbids miraculous behaviour from being specified. 

Definition 3 (Non-miraculous) wp(S , F) = F 

If program statement S could achieve F, the predicate which is false everywhere, 
then there must be no such initial state where wp(S , F) that can be satisfied. This 
is precisely one of the properties that Back [32], Morris [29] and Morgan [31] relaxed 
in order to introduce the lattice of monotonic predicate transformers. 
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The fundamental property of interest in models for refinement is monotonicity. 
The definition [fJ2J is reproduced below. 

Definition 4 (Monotonicity) (q =>■ r) =>■ ( wp(S, q) => wp(S, r)) 

For every state and program statement S, whenever q is a stronger predicate than 
r, then the weakest precondition wp(S, q ) is also stronger than wp(S, r ). In other 
words, if q is a postcondition stronger than r, then, the set of initial states guaranteed 
to establish q is a subset of those that establish r. 

The next healthiness condition that Dijkstra presents is conjunctivity, whose 
formal definition is reproduced below [62]. 

Definition 5 (Conjunctivity) wp(S, q) A wp(S, r ) wp(S, q A r) 

The right-hand side implication follows directly from monotonicity and properties 
of the predicate calculus. However, the left-hand side implication is not necessarily 
satisfied in general. In fact, this property is precisely what prevents angelic non¬ 
determinism from being specified in Dijkstra’s model, as noted by Back [63J. This 
result follows from the definition of the angelic statement whose semantics, as given, 
for example, in [HUES], is defined using an existential quantification. 

The counterpart to conjunctivity is disjunctivity, whose definition is as follows. 

Definition 6 (Disjunctivity) wp(S , q) V wp(S, r ) wp(S , q V r) 

Since weakest preconditions observing this property cannot model demonic non¬ 
determinism, Dijkstra |62j uses a weaker version where only the left-hand side im¬ 
plication is enforced. Similarly to the angelic statement, the demonic specification 
statement is defined, for example, in [Ml IBB] using a universal quantification. 

In [63] Back and von Wright extensively study different models of weakest pre¬ 
conditions with different properties, including models with and without miracles, 
conjunctivity and disjunctivity. They conclude that by considering a model that is 
neither conjunctive nor disjunctive, both forms of nondeterminism can be modelled 
together. Furthermore, by considering a model with miracles, a complete lattice 
exists where angelic and demonic choice correspond to the meet and join, respect¬ 
ively. This is a result explored in all versions of the refinement calculus mmm- 
Our remaining discussion on weakest preconditions is mostly based on Back and von 
Wright’s work [32]• 
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2.2.2 Predicate Transformers 

The wp function of Dijkstra is a predicate transformer as it maps predicates to 
predicates. Back and von Wright [62], in their presentation of the refinement calculus 
introduce the notion of contracts which can be either specifications or programs. The 
satisfaction of a contract S by establishing postcondition q when started from an 
initial state a is denoted by a {| S |} q. They characterise wp : PE —> PE, where 
the state space is £, for a contract S as follows. 

Definition 7 (Weakest Precondition) wp(S, q) = W | a (| S |} q} 

That is, the set of all initial states er, from which S is guaranteed to establish q. 
Weakest precondition semantics can then be given to their language of contracts [B2], 
which we reproduce in the following definition. 

Definition 8 (Basic Weakest Preconditions) 

wp((f),Q) =/ _1 (?) 
wp({g}, q) = go q 
w([g], g) = -> go q 
wp(S 1 ; S 2 , q) = vjp{S 1 , wp(S 2 , q)) 
wp(S i U S 2 , q) = wp(Si, q) U wp(S 2 , q) 
wp(S i n S 2 , q) = wp(Si, q) D wp(S 2 , q) 

The first construct (/) is a functional update that changes the state according to 
function /. An example is the identity id, which does not change the state. 

The following construct {g} is an assertion, which has no effect on the state if g 
holds. Otherwise the program aborts. The assertion cr (| {g } |} q holds if, and only 
if, the state a is in the intersection of g and the postcondition q. 

Its dual is the assumption [g] ; it has no effect if g holds and otherwise the 
contract is satisfied trivially. Hence, the weakest precondition is given by a G q and 
otherwise, if g fails to hold then a G —> g. 

The sequential composition of Si and S 2 is given as the weakest precondition of 

51, with respect to the postcondition characterised by the weakest precondition of 

5 2 . That is, wp(S 2 , q) is an intermediate condition that needs to be satisfied in order 
to achieve q. 

Finally, angelic and demonic choice are defined as U and l~1, respectively. In an 
angelic choice, it is sufficient that either the precondition of Si or S 2 is satisfied in 
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order to achieve q , whereas in a demonic choice both need to be satisfied. 


2.2.3 Predicate Transformers Lattice 

In Back and von Wright’s model [32], the notion of refinement is given for two 
contracts Si and S 2 as follows. 


Definition 9 S 1 CS 2 <tv-Vcr, ?»cr{|S 1 |}^=^cr{|S 2 |}9 

A contract Si is refined by S 2 if, and only if, for all initial states a and postcon¬ 
ditions q, if a is an initial state of contract Si leading to postcondition q , then it 
is also an initial state of S 2 leading to q. As this order is reflexive, transitive and 
antisymmetric |32l EZj, it is a partial order. The bottom element is the assertion 
{false}, which can never be satisfied in any initial state, while the top element is 
the assumption [false] , so that it is trivially satisfied in any initial state for any final 
condition q. 

When Back and von Wright [32] introduce their model of predicate transformers, 
they actually consider the target state space as being potentially different from the 
initial state space, as required, for instance, to model states with scoped variables. 
Thus, the set of predicate transformers from an initial state space E, to a final state 
space T is defined by PT —* PS. 

The refinement order for predicate transformers is defined by considering the 
pointwise extension of the subset ordering; for predicate transformers T\ and T 2 , 
we have the following definition. 

Definition 10 T\ E T 2 = V q 6 PT • T\(q) C P 2 (g) 


That is, T] is refined by T 2 , if, and only if, the set of initial states that characterise 
the weakest precondition for q to be established according to Tj is a subset of that 
characterised by T 2 . This order forms a complete Boolean lattice [32]• Thus the 
lattice operators on predicate transformers are pointwise extensions of the corres¬ 
ponding operators on predicates [32]. 

Finally, in [32] Back and von Wright consider the complete sublattice of mono¬ 
tonic predicate transformers. What is particularly important about their result is 
that every basic statement is monotonic and so are the sequential composition, meet, 
and join of predicate transformers [32] , 

This concludes our discussion of the lattice of monotonic predicate transformers 
as the standard model where angelic and demonic nondeterminism have traditionally 


been studied. In the following Section 2.3 we discuss the theory of upward-closed 
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binary multirelations, which is effectively a relational characterisation of the predic¬ 
ate transformers model [55] . 


2.3 Binary Multirelations 

As already discussed, it is not possible to model both angelic and demonic non¬ 
determinism in a purely relational model. However, multirelational models can be 
used to characterise both forms of nondeterminism in a relational setting. 

In [55] Rewitzky introduces the theory of binary multirelations, which are rela¬ 
tions between initial states and sets of final states. In our presentation we define 
these relations through the following type BM, where State is a type of records with 
a component for each program variable. 

Definition 11 BM = State -H- P State 

An example of a program in this model is the assignment of the value 1 to the only 
program variable x when started from any initial state. 

Example 1 x \=bm I = {s : State , ss : P State | (x i—>• 1) £ ss} 

This assignment, which we subscript with BM to distinguish it from assignment 
statements in other models that we discuss later, is defined by relating every initial 
state s to a set of final states ss where the component x is set to the value 1. For 
conciseness, in the examples and definitions that follow, the types of s and ss may 
be omitted where it is clear that the composite type is BM. 

The target set of a binary multirelation can be interpreted as either encoding 
angelic or demonic choices [55* HI]. Here we present a model where the set of final 
states encodes angelic choices. This decision is justified in [55] as maintaining the 
refinement order of the isomorphic IIJTPl model of Cavalcanti et al. [58], which we 
discuss in Section 12.4.41 

Demonic choices are encoded by the different ways in which the set of final 
states can be chosen. For example, consider the following program which angelically 
assigns the value 1 or 2 to the only program variable x ; it uses U bm the angelic choice 
operator for binary multirelations. 

Example 2 x '.=bm 1 Ubm x '.—bm 2 = {s, ss \ (x H > 1) e ss A (x H > 2) e ss} 

In this multirelation, every initial state s is associated with all sets ss in which we 
can find the choice of a final state where x is assigned the value 1 or 2. Irrespective 
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of the set of final states chosen by the demon, the angel is always able to enforce 
this choice. As illustrated, for a particular initial state, the choices available to the 
angel correspond to those in the distributed intersection over all possible sets of final 
states. 


2.3.1 Healthiness Conditions 

Example [2] above illustrates a fundamental property of binary multirelations: upward- 
closure [35]. This property is captured by the following healthiness condition for a 
multirelation B. 


Definition 12 BMH 7 Vs, ss 0 , ss\ • ((s, ssq) G B A ssq C =>- (s, ssi) G B 


If an initial state s is related to a set of final states sso, then it is also related to any 
superset ss\. This reflects the fact that if it is possible to terminate in some final 
state in sso, then the addition of any other final states to that set does not change 
the actual states available for angelic choice. 

Upward-closure ensures that there is a complete lattice under the subset or¬ 
der, with angelic and demonic choice corresponding to the least upper bound and 
greatest lower bound, respectively. Moreover, in [35] Rewitzky establishes that there 
is a bijection between upward-closed binary multirelations and monotonic unary op¬ 


erators. Since, as explained in Section 272 predicate transformer semantics can be 
given in terms of monotonic unary operators, this establishes that the multirela- 
tional model is in fact a relational characterisation for commands with both forms 
of nondeterminism. 


2.3.2 Refinement 

In the model of upward-closed binary multirelations, refinement is defined for healthy 
multirelations Bo and B\ by reverse subset inclusion as follows [35]. 

Definition 13 B 0 U BM Bi A B 0 D B\ 

A multirelation Bo is refined by B\ if, and only if, B\ is a subset of Bq. 

This partial order forms a complete lattice. The bottom element Lbm, corres¬ 
ponding to the notion of abort, is defined by the universal relation, which associates 
every initial state to every possible set of final states. 

Definition 14 L B m = State x P State 
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The top element T bm is defined by the empty relation and corresponds to the notion 
of miracle, the infeasible program. 

Definition 15 T bm = 0 

Via refinement, the degree of angelic nondeterminism of a program can be increased, 
while the degree of demonic nondeterminism can be decreased, that is, a program can 
be refined into a demonically more deterministic one. In particular, the infeasible 
program T bm refines every other program, while every program refines Lbm- 

2.3.3 Operators 

In this section we present the main operators of the theory of binary multirelations 
and discuss their most important properties. 

Assignment 

The first operator of interest, which we have briefly discussed in Example [2j is 
assignment. Its complete definition is as follows. 

Definition 16 x '.—bm e = {s, ss \ s © (x t->- e) G ss} 

Every initial state s is related to every set of final states ss that includes a state 
where s is overridden to define that x has the value of expression e. 

Angelic Choice 

The angelic choice operator is defined as set intersection. 

Definition 17 Bq Ubm Bi = Bq fl B± 

This operator corresponds to the least upper bound of the lattice. Intuitively, the 
final states available for angelic choice are those in the intersection of all choices 
available for demonic choice. The operator satisfies the following property. 

Lemma L.2.3.1 Bq E B m Bq U bm Bi 

That is, the degree of angelic nondeterminism can be increased. 

Demonic Choice 

Its dual, demonic choice, is the greatest lower bound and is defined as set union. 
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Definition 18 Bo Hbm B\ = B 0 U B\ 

For a given initial state, the sets of final states available for demonic choice corres¬ 
pond to those in either Bo or B\. Demonic choice observes the following property. 

Lemma L.2.3.2 Bo Ubm B\ Ubm Bo 

That is, the degree of demonic nondeterminism can be decreased. Finally, angelic 
and demonic choice distribute over one another. 

Lemma L.2.3.3 B 0 n bm (-Si LI B 2 ) = ( B 0 n bm Si) U bm (So I ~^bm B 2 ) 

This property follows from the distributive properties of set union and set inter¬ 
section. ft is equally valid in the theory of predicate transformers and the iso¬ 
morphic ITJTPI model of [38]. 


Sequential Composition 

Although this is a relational model, since states are related to sets of states, the defin¬ 
ition of sequential composition is not relational composition. Instead it is defined 
as follows. 

Definition 19 

Bo j bm = ( s o, s«i | 3 ss 0 • (s 0 , ss 0 ) G B 0 A ss 0 C {si | (si, ssi) G -Bi}} 

It considers every initial state So in B 0 and set of final states ssi, such that there is 
some intermediate set of states sso that is related from s 0 hi B 0 , and sso is a subset of 
those initial states of Bi that achieve ssi. As noted in [3H] for healthy multirelations 
this definition can be simplified further as shown in the following lemma. 

Lemma L.2.3.4 Provided B 0 satisfies BMH, 

Bo j bm b i — {so, ssi | (so, {si | (si, ssi) G B{\) G Bo] 

Proof. Equation 5 in [38]. □ 

This definition is the basis for the definition of sequential composition in the iso¬ 
morphic [FTP] model of [38], and for the definition of sequential composition in the 
extended model of binary multirelations that we discuss in Chapter [3] 
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2.4 The Unifying Theories of Programming 


As previously discussed, the IUTPI of Hoare and He [39j is a framework of al¬ 
phabetized relations suitable for characterising different programming paradigms. 
The IUTPI promotes unification of results while enabling different aspects of pro¬ 
grams to be considered in isolation. In [39] a collection of theories is presented that 
targets multiple aspects of different programming paradigms, such as functional¬ 
ity, concurrency, logic programming and higher-order programming. Several other 
theories have since been developed which cater for other aspects, such as angelic 
nondeterminism |33j, object-orientation pH), 46], pointers m and time [431 foUj . 

The lUTPl is based on the principle of observation, and so the discourse for record¬ 
ing observations is defined by an alphabet whose variables determine the observable 
parameters of a system. These can be either program variables, or alternatively, 
auxiliary variables that capture information like termination and execution time. 
A IUTPI theory is characterised by three components: an alphabet, a set of healthi¬ 
ness conditions and a set of operators. 

For a given relation P, its alphabet is given by a(P). Similar to the conventions 
of Z, in the IUTPI an alphabet is split into two disjoint subsets: ina(P), which 
contains undashed variables for characterising the initial observations, and outa(P), 
which contains the dashed counterparts of each variable that characterise the final 
or subsequent observations of a system. For example, a program whose purpose is 
to increment the initial value of the only program variable x can be specified by 
the relation: x' — x + 1. This relation concisely describes all pairs of values (x, x') 
that satisfy this predicate. Thus relations characterise the possible observations of 
a program. 

When the input and output alphabets of a relation are exactly the same, except 
for the fact that variables are undashed and dashed in either set, respectively, a 
relation is said to be homogeneous. 


Definition 20 (Homogeneous Relation) A relation P is homogeneous if, and 
only if (ina(P)y = outa(P). 


This is captured by Definition 20, where ( ina(P))' is the set of variables obtained 
by dashing every variable in the set ina(P). 


The remainder of this section is organised as follows. In Section 2.4.1 we dis¬ 
cuss the other two components of IUTPI theories, namely healthiness conditions and 


operators. In Section 2.4.2 we introduce the theory of designs which captures total 

we discuss the approach to linking theories in the IUTPI 


correctness. In Section 2.4.3 
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Finally, Section 2.4.4 discusses the theory of angelic nondeterminism of 


2.4.1 Theories 

The second component of a IUTPI theory is a set of healthiness conditions that 
characterise the predicates of a theory. These are normally specified by idempotent 
and monotonic functions whose fixed points are the valid predicates of the theory. 

Healthiness Conditions 

For instance, in the context of theories concerning time, it is often possible to make 
observations of a system in discrete-time units recorded using a variable t. ft is 
expected that any plausible theory describing such a system must guarantee that 
time is increasingly monotonic. This property can be described by the following 
healthiness condition HC. 

Example 3 HC(P) = P A t < t' 

It requires that under all circumstances, it must be the case that the initial value of t 
is less than or equal to the final or after value t' . This healthiness condition is defined 
in terms of conjunction, so it is called a conjunctive healthiness condition [37]. A 
general result on conjunctive healthiness conditions m enables us to establish that 
HC is idempotent and monotonic with respect to refinement. An observation in this 
theory is valid if, and only if, it is a fixed point of HC. 

Refinement 

The theory of relations forms a complete lattice [39] . with the order given by (reverse) 
universal implication. The top of the lattice is false and the bottom is true. This 
order corresponds to the notion of refinement. Its definition is presented below, 
where the square brackets stand for universal quantification over all the variables in 
the alphabet [39]. 

Definition 21 (Refinement) PE Q A [Q => P] 

Refinement can be understood as capturing the notion of correctness in the sense 
that, if a predicate Q refines P, then all possible behaviours exhibited by Q are 
permitted by P. This notion is paramount for the IUTPI framework and it is the 
same across all theories. The relation true imposes no restriction and permits the 
observation of any value for all variables in the alphabet, while false permits none. 
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Operators 

A IUTPI theory comprises a number of operators that characterise how the theory 
may be used algebraically to specify more complex behaviours. In the theory of 
relations there are a number of core operators that correspond to typical constructs 
found in programming languages, such as assignment (:=), conditional (A<\ c> B), 
and sequential composition ( ; ). In what follows we present some of the most 
important operators of the theory of relations. 

Sequential Composition 

In IUTPI theories whose relations are homogeneous, sequential composition is defined 
as relational composition. The definition is shown below through substitution. 

Definition 22 (Sequential Composition) P ; Q = 3 Vo • P[vo/v') A Q[vo/v] 

The intuition here is that the sequential composition of two relations P and Q 
involves some intermediate, unobservable state, whose vector of variables is rep¬ 
resented by Vo . This vector is substituted in place for the final values of P, as 
represented by v', as well as substituted for the initial values of Q, as represented 
by v. It is finally hidden by the existential quantifier. 

Skip 

An important construct in the relational theory is the program Hn, otherwise also 
known as Skip, whose definition is presented below. 

Definition 23 (Skip) En = {v' = v ) 

This is a program that keeps the value of all variables unchanged. The most inter¬ 
esting property of IT n is that it is the left-unit for sequential composition [39] , 

Demonic Choice 

Due to the lattice-theoretic approach of the IUTPI demonic choice (l~l) corresponds 
to the greatest lower bound. This means that its definition is simply disjunction. 

Definition 24 (Demonic choice) P n Q = P V Q 

Unfortunately the least upper bound, which is conjunction, does not correspond to 
the notion of angelic choice. As mentioned previously, it is not possible to represent 
both choices directly within the relational model [35] . 
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Recursion 

Recursion is defined in the lUTPl as the weakest fixed point. Since we have a complete 
lattice, it is possible to find a complete lattice of fixed points as established by a 
result due to Tarski pa eh. In the following definition, F is a monotonic function 
and P| is the greatest lower bound. 

Definition 25 (Recursion) /i X • F(X) = P|(A I [A(X) — A]} 

A non-terminating recursion, such as (// Y • Y), is equated with the bottom of 
the lattice, true [55] - Intuitively this means that it does not terminate, but if we 
sequentially compose this recursion with another program, then it becomes possible 
to recover from the non-terminating recursion as shown in the following example PH- 

Example 4 

{/I Y • Y) ‘ x' — 0 (Definition of recursion} 

=rK* | [(fj, Y • Y)(X) Cl]} / x — 0 (Function application} 

= | |{A | [I C I]} ' x — 0 (Reflexivity of C} 

= I"K* | true} ; x' — 0 (Property of n} 

= true j x / — 0 (Definition of sequential composition} 

= 3 Uo • true A x' = 0 (Propositional calculus} 

= x' = 0 


This issue motivated Hoare and He 


to propose the theory of designs that we 


present in the following Section 2.4.2 


2.4.2 Designs 

As already mentioned, when considering theories of total correctness for reasoning 
about programs, the theory of relations is not appropriate due to the fact that it 
allows unrealistic observations of recovery from non-terminating programs |391 151] . 
In other words, the bottom of the lattice, true, is not necessarily a left-zero of 
sequential composition as would be needed. As a result, Hoare and He [3Dj have 
introduced the theory of designs, which addresses this issue. 
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Alphabet 

The theory of designs is defined by considering the addition of two auxiliary Boolean 
variables to the alphabet: ok and ok'. Their purpose is to track whether a program 
has been started, in which case ok is true, and whether a program has successfully 
terminated, in which case ok' is true. 

In what follows we present the healthiness conditions that define the theory of 
designs. Finally we discuss the notion of refinement in the context of designs. 

Healthiness Conditions 

Any valid predicate of this theory has to obey two basic principles: that no guar¬ 
antees can be made by a program before it has started, and, that no program may 
require non-termination. These two principles are formally characterised by the 
healthiness conditions HI, and H2, respectively [32] • We reproduce their defini¬ 
tions below. 

Definition 26 H1(P) = ok =>- P 

The definition of HI states that any guarantees made by P can only be established 
once it has started. Otherwise, any observation is permitted and it behaves like the 
bottom of the lattice, which is the same as the one for relations: true. 

Definition 27 H2(P) A [P[false/ok'} => P[true/ok']} 

The definition of H2 states that if it is possible for a program P not to terminate, 
that is for ok 1 to be false, then it must also be possible for it to terminate, that is for 
ok' to be true true. This healthiness condition can alternatively be expressed using 
the J-split of [32] as H2(P) = P ; J, where J = (ok ^ ok') A v' — v. That is, the 
value of ok can increase monotonically, while every other variable v is unchanged. 
A predicate that is both HI and H2 satisfies the following property. 

Lemma L.2.4.1 (Design) 

HI o H2(P) = (ok A - P[false/ok'}) => (P[true/ok'} A ok') 

Proof. Theorem 3.2.3 in [32]. □ 

Here the design is split into two parts: a precondition and a postcondition. It is 
defined using the notation of Hoare and He [32] as shown in the following definition. 
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Definition 28 (Design) (P F Q) = (ok A P) =>■ (o/d A <5) 

A design can also be written using the following notation, where we use the short¬ 
hand notation P a = P[a/ok'], with t = true and / = false, as introduced by 
Woodcock and Cavalcanti EB. which emphasises that we can assume without loss 
of generality, that ok' is not free in pre and postconditions. Furthermore, it is usually 
assumed that ok is also not free in either P or Q. 

Lemma L.2.4.2 (Design) A predicate P is a design if, and only if, it can be 
written in the following form: (-i P-F h P l ). 

Proof. Theorem 3.2.3 in [33] and definition of design. □ 

We observe that the functions HI and H2 (and indeed all of the healthiness con¬ 
ditions of designs) are idempotent and monotonic with respect to refinement [33] . 
Furthermore, none of the proofs establishing these results rely on the property of 
homogeneity. Therefore it is possible to define a non-homogeneous theory of designs. 

Hoare and He [33] identified another two healthiness conditions of interest which 
we discuss further below. The third healthiness condition H3 requires Hx>, the Skip 
of designs, to be a right-unit for sequential composition [33]. 

Definition 29 (Skip) Ev = (true F v 1 — v) 

Skip is the program that always terminates successfully and does not change the 
program variables. It is essentially the counterpart to in the theory of designs. 

Definition 30 H3(P) = P / Ex> 


From this definition it may not be immediately obvious how designs are further 
restricted by H3. In fact, it requires the precondition not to have any dashed 


variables (as confirmed by Theorem T.2.4.1). In order to understand the intuition 
behind it we consider an example of a design that is not H3-healthy. 


Example 5 


(x' 7 ^ 2 F true ) (Definition of designs} 

= (ok A x' 7 ^ 2) =>■ ok' (Propositional calculus} 

= ok =>• (x' = 2 V ok') 


In this case we have a program that upon having started can either terminate and 
any final values are permitted, or can assign the value 2 to the variable x and 
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termination is then not required. In the context of a theory of total correctness 
for sequential programs this is a behaviour that would not normally be expected. 
However it is worth noting that in the context of ICSPI non H3-designs are important, 
since they enable the specification of ICSPI processes such as a —> Chaos. 

The healthiness condition H3 can also be interpreted as guaranteeing that if a 
program may not terminate, then it has arbitrary behaviour. Thus a predicate that 
is H3-hcalthy is also necessarily H2-healthy [38] • 

If we expand the definition of H3 by applying the definition of sequential defin¬ 
ition for designs we obtain the following result mm- 

Theorem T.2.4.1 ((-. pf h P 4 ) = (-. pf b P 4 ) ; TL V ) (-. pi = 3 v' • P f ) 

Proof. Theorem 3.2.4 in [32] and proof in Section 6.3 of [51]. □ 

This theorem shows that the value of any dashed variables in -> P? must be irrel¬ 
evant. Therefore any design that is H3-healthy can only have a condition as its 
precondition, that is, a predicate that only mentions undashed variables, and thus 
can only impose restrictions on previous programs. 

Finally, the last healthiness condition of interest is H4, which restricts designs to 
feasible programs. It is defined by the following algebraic equation [3D] that requires 
that true is a right-zero for sequential composition. 

Definition 31 (H4) P ; true = true 

The intuition here is that this prevents the top of the lattice, T p, itself a trivial 
refinement of any program, from being healthy. In order to explain the intuition for 
this, we consider the definition of T£>. 

Definition 32 (Miracle) 

Td = (true b false ) {Property of designs} 

= ok =>- false {Propositional calculus} 

= -i ok 

The top T D denotes a program that could never be started (-> ok). Furthermore, 
if it could, and indeed its precondition makes no restriction, it would establish the 
impossible: false. Any conceivable implementable program must not behave in this 
way. However, miracle is an important construct in refinement calculi [381151] . 

For completeness we also provide the definition of the bottom of the lattice of 
designs, which is usually named Abort. 
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Definition 33 (Abort) _L d = ( false b true ) 

The bottom _!_£ provides no guarantees at all: it may fail to terminate, and if it 
does terminate there are no guarantees on the final values. Indeed it is not required 
to guarantee anything at all since its precondition is false. 


Operators 

In the following theorems we introduce the meet and join of the lattice of designs 
as presented in ED- Like in the lattice of relations, the greatest lower bound cor¬ 
responds to demonic choice. 

Theorem T.2.4.2 (Greatest lower bound) ["^(P* b Qi ) = (A;A) I - (Vi Qi) 
Proof. Theorem 1 in [SI]. □ 

Theorem T.2.4.3 (Least upper bound) |_ \i(Pi •“ Qi) = (Vi A') b (Vi Pi => Qi) 
Proof. Theorem 1 in 153]. □ 


Sequential Composition The definition of sequential composition for 
can be deduced from Definition 22 Here we present the result as proved in 


designs 

[33151!. 


Theorem T.2.4.4 (Sequential composition of designs) Provided ok and ok' 

are not free in P 0 , Pi, Q 0 and Qi, 


( Pq b Pi) ; (Qo b <5i) = (-> (-i Po ; true ) A -> (Pi ; -< Q 0 ) b Pi ; Q\) 


Proof. Law T 3 in [SI]. f|| 

This definition can be interpreted as establishing Pi followed by Q\ provided that 
P 0 holds and P x satisfies Q 0 . As pointed out in [SI], if Po is a condition then the 
definition can be further simplified. 

Theorem T.2.4.5 (Sequential composition of designs) Provided ok and ok' 

are not free in Pq, Pi, Qo and Q\, and Po is a condition, 


(P 0 b Pi) ; (Qo b Qi) = (P 0 A -■ (Pi ; - Q 0 ) b P 1 ; QQ 


Proof. Law T 3' in [5Tj . 


□ 
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Refinement 

As in all IUTPI theories, the refinement order in the theory of designs is: universal 
(reverse) implication. Thus the following result can be established [51] , 

Theorem T.2.4.6 (Refinement) 

(Po h Pi) E (Qo I- Qi) = [Po P 1 ] A [P 0 => Qo] 

Proof. Law 5 in [51]. □ 

Theorem IT. 2.4. 61 confirms the intuition about refinement as found in other calculi: 
preconditions can be weakened while postconditions can be strengthened. 

This section concludes our overview of the theory of designs. In the following 
section we focus on how theories can be related and combined. 

2.4.3 Linking Theories 

The lUTPl provides a very powerful framework that allows relationships to be estab¬ 
lished between different theories. This means that results in different theories can 
be reused. We elaborate on some of principles behind the linking of theories in the 
following paragraphs. A full account is available in [ 55] . 

Following the convention of Hoare and He [32], we assume the existence of a pair 
of functions L and R that map one theory into another: L maps the (potentially) 
more expressive theory into the (potentially) weaker theory, and R, vice-versa. 

Subset Theories 

The simplest form of relationship that can be established is that between subset 
theories [55] . We consider the case where a theory T is a subset of S, it is then 
possible to find a function R : T —>■ S: it is simply the identity [3TJj . Defining 
L : S —>■ T for the reverse direction may be slightly more complicated as the subset 
theory is normally less expressive. 

Hoare and He [32] pinpoint the most important properties of such a function 
L : S — > T : weakening or strengthening, idempotence and, ideally, monotonicity. As 
highlighted in [32], monotonicity is not always necessarily observed. We reproduce 
the respective definitions below. 

Definition 34 (Weakening) VA G S • L( X) jZ X 

Definition 35 (Strengthening) VA' e S • X jZ L( A) 
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We follow Hoare and He’s convention and refer to a function that is both weakening 
and idempotent as a link and, if it is also monotonic we refer to it as a retract. 

Bijective Links 

When two theories have equal expressive power, the pair of linking functions between 
them can be proved to form a bijection. In other words, each function undoes 
exactly the effect of the application of the other and, thus, as expected, the following 
identities hold. 

Definition 36 (Bijection) A function L is a bijection if, and only if, the inverse 
function R = L -1 exists, and the following hold for all P, 

L o R(P) = P A R o L(P ) = P 

A bijection constitutes the strongest form of relationship between theories. It can 
apply even when the alphabets are different or when the theories are presented in dif¬ 
ferent styles [3S]. Indeed this is often what is sought: proving that two theories have 
exactly the same expressive power, yet their shape may suit different applications 
better. 


Galois Connections 


Often, though, and as explained previously in the discussion of subset theories, we 
want to relate theories with different expressivity. Therefore the linking function 
is not a bijection, as there has to be some weakening or strengthening in either 
direction. A pair of functions describing this relationship constitutes what is known 
as a Galois connection. Here we reproduce the definition of [32j and provide a 
pictorial illustration in Figure 2.1[ 


Definition 37 (Galois Connection) For lattices S and T, a pair ( L,R ) of 
functions L : S —>■ T and R : T —>■ S is defined to be a Galois connection if, and 
only if, for all X <G S and Y 6 T: 


R(Y) Q'ttlT L(X) 


As pointed out earlier, a bijection presents a stronger relationship than a Galois con¬ 
nection. However, it is not the case that every bijection is a Galois connection [132] . 
Hoare and He [32] give the example of negation whose inverse is precisely itself, how¬ 
ever negation is not monotonic. It is a known property of Galois connections that 
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Figure 2.1: Galois connection between two lattices, S and T 


the functions are monotonic. In addition, the composition of Galois connections is 
also a Galois connection (Theorem 4.2.5 in [55]). 


2.4.4 Angelic Nondeterminism 

In order to model both angelic and demonic nondeterminism in the relational setting 
of the lUTPl Cavalcanti et al. [320 have proposed an encoding of upward-closed binary 
multirelations through non-homogeneous relations. The alphabet of that theory 
consists of the undashed program variables, whose set is given by ina, and of the 
sole dashed variable ac which is a set of final states whose components range over 
outa , the output variables of a program. The final states in ac' are those available 
for angelic choice, while the demonic choices are those over the value of ac '. Similarly 


to our presentation of binary multirelations in Section 2.3, a state is a record whose 
components are program variables. 

Despite being a theory which does not include the variables ok and ok?, it directly 
captures termination. The intuition here is that a program may fail to terminate 
if there are no choices available to the angel. In other words, if ac' may be empty, 
then non-termination is a possibility. Conversely, if the program terminates, then 
there must be at least one final state available for angelic choice. 


Healthiness Conditions 

Since the theory is essentially a relational encoding of binary multirelations, in 
order for it to observe the essential properties of binary multirelations, the set of 
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final choices ac' needs to be upward-closed. So the only healthiness condition of the 
theory is defined as follows [38] . 

Definition 38 PBMH(P) = P ; ac C ad 


This is a predicative version of BMH. which is defined using the sequential com¬ 
position operator. If it were possible for P to establish some set of final states ac', 
then any superset could have also been obtained. 

One immediate consequence of PBMH illustrated is that no well-behaved pro¬ 
gram can require the set of final states ad to be empty as illustrated in the follow¬ 


ing Lemma L.2.4.3, which establishes that ad ^ 0 is not a fixed point of PBMH. 


Lemma L.2.4.3 PBMH(ac' = 0) = true 


Proof. 

PBMHfac' = 0) {Definition of PBMH} 

= ad = 0 ; ac C ac' {Definition of sequential composition} 

= 3 aco • (ad = 0)[aco/ac'] A (ac C ac')[aco/ac] {Substitution} 

= 3 aco • aco = 0 A aco C ac' {Property of sets} 

= true 


□ 

In other words, this corresponds to the same condition enforced by H2 of the theory 
of designs. Moreover, because non-termination involves ad being empty, and since 
there is a requirement on ad being upward-closed, this theory also satisfies the 
condition enforced by H3 of the theory of designs: arbitrary behaviour when there 
is non-termination. In the following, where we discuss the operators of the theory, 
we establish this result by proving that the Skip of this theory is a right-unit for 
sequential composition, essentially a recast of H3. 

Operators 

The operators of the IUTPI theory presented in [38] are calculated from their corres¬ 
ponding predicate transformer’s definition through a composition of linking func¬ 
tions that establish isomorphisms between predicate transformers, binary multirela¬ 
tions and the proposed IUTPI model. In the following paragraphs we reproduce the 
most important operators, whose definitions are subscripted with A. 
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Since this theory is a complete lattice, the angelic choice operator is the least 
upper bound, conjunction, while demonic choice corresponds to the greatest lower 
bound, disjunction. Furthermore, the bottom of the lattice is true and corresponds 
to abort, while false is the top and corresponds to miracle. 

Skip The program that terminates successfully without changing the state is 
defined as follows. 

Definition 39 H A = ( Oina)' G ac' 

The definition requires that the dashed version of the initial state Oina is available 
for angelic choice in ac'. The notation Oina is used to denote a state where each 
name x in ina is a component associated with the corresponding program variable 
x, while the notation (Oina)' denotes the state obtained from Oina by dashing the 
name of each state component. 

This operator was originally not considered in [3Bj, but is useful, for example, to 
show that this theory observes the same property as H3 of the theory of designs. 
This is presented following the introduction of the sequential composition operator. 

Assignment The next operator of interest is assignment. An assignment of the 
value of an expression e to a program variable x is defined as follows. 

Definition 40 (Assignment) x := A e = (Oina)' © (x' i—> e) G ac 1 

The definition requires that there is a final state available for angelic choice in ac', 
where the dashed version of the initial state (Oina) is overridden with a component 
of name x’ with value e. 

Sequential Composition The operator that is perhaps most challenging is se¬ 
quential composition. Since the theory is non-homogeneous, sequential composition 
is no longer relational composition as in other IUTPI theories. Instead, the authors 
in gSI have calculated the following definition, which uses substitution. 

Definition 41 P ; A Q = P[{s' \ Q[s/ina]}/ac'] 

The set of angelic choices resulting from composing P and Q corresponds to the 
angelic choices of Q, such that they can be reached from an initial state s of Q that 
is available for P as a set ac' of angelic choices. The states in 0 are obtained by 
considering the substitution in Q over all variables x in ina with their corresponding 
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state component s.x. Since states in ac! have dashed components, the set construc¬ 
tion considers the dashed s' version of s. This definition can be interpreted as back 
propagating the necessary information regarding the final states. 

We consider the following example, where there is a choice between angelically 
assigning the value 1 or 2 to the only program variable x, followed by a sequential 
composition with an assumption, where the program terminates successfully only 
when the initial value of a; is 1 and otherwise aborts. For simplicity, we consider x 
to be the only program variable. 


Example 6 


(x :=a lUi :=a 2) ; A (x — 1 =>• Ha) {Definition of U and assignment} 

= (( x' H» 1) £ ac' A ( x ' i— > 2) £ ac) ; ' A (x — 1 =>• JT A ) 

{Definition of ; A and JTa} 

( (x' i-> 1 ) £ ac' ^ 

= A [{s' | (x — 1 =>• (x' (->• x) £ ac')[s / ina]} / ac'] 

\ (x 1 2 ) £ ac' ) 

{Substitution} 

= ((V £l)£ ac' A (V a 2 )£ ac')[{s' \ s.x — 1 =>• (V (->• s.x) £ ac'}/ac'] 

{Property of substitution} 

f (( x' 4l)£ ad)[{s' \ s.x — 1 =>• (x 1 (->• s.x) £ ac'}/ac'] \ 

A | {Substitution} 


V(( x' i —y 2) £ ac')[{s' | s.x — 1 =>• (x 1 s.x) £ ac'}/ac'] / 
/ ((x' 4l)£ {s' | s.x — 1 =>■ (x' i-A s.x) £ ac'}) \ 


A 


{Property of sets} 


\ ((x' £ 2 ) £ {s' | s.x = 1 =>■ (x' s.x) £ ac'}) / 
/(x£ 1).X = 1 £• (x' £ (x £ l).x) £ ac' \ 


A 


{Record component x} 


V(* i-> 2 ).x = 1 £■ (x' £ (x £ 2 ).x) £ ac' / 

= (1 = 1 =>■ (x' e£ 1 ) £ ac') A (2 = 1 =>• (x' 2) £ ac') {Predicate calculus} 

= (x' i —y 1) £ ac' {Definition of assignment} 

= x := A 1 


The result is that the angel avoids assigning 2 to x, since that would lead to abortion. 
So effectively, the information regarding the sets available for angelic choice is back 
propagated from the assumption through the sequential composition. 
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Finally, we show that this theory observes the property of H3 of the theory of 
designs by expressing H3 in this model. 

Definition 42 H3 A (P) = P ; A H A 

This requires the identity of the theory H A to be a right-unit, which we prove in 
the following lemma for healthy predicates. 

Lemma L.2.4.4 P = P ; A JI A 

Proof. 


P\ A I* 


{Definition of IT A and ; A } 
= P[{s' | (( dina)' G ac')[s/ina\}/ac 1 ] {Expand dina for each x, : in ma} 

= P[{s' | ((x 0 (->• x 0 ,..., Xi i->- Xj)' G ac')[s/ma]}/ac'] {Dash state components} 
= P[{s' | ((xq i —> x 0 ,..., x[ H> X,-) G ac')[s/ma]}/flc'] 

= F[{s / | (xq i—j- s.xo, ..., Xj-1—^ s.xf) G ac'j/ac'] 

= P[{s | (xq i—^ s.Xq, ... , x[ (->• s.Xj-) G ac'j/ac 7 ] 

= F[{s | s G ac'}/ac'} 

= P[ac /ac 7 ] 


{Substitution} 
{Dash state components} 
{State components} 
{Property of sets} 
{Property of substitution} 


= P 


G 

This concludes the discussion of the healthiness conditions of the theory. In what 
follows we discuss the relationship between this theory, binary multirelations and 
the predicate transformers. 

Relationship with Binary Multirelations 

As previously discussed, the theory of [3B] is isomorphic to the theory of upward- 
closed binary multirelations. We depict this relationship in Figures [TTT1 and fO] where 
both theories, characterised by their respective healthiness conditions PBMH and 
BMH are related through a pair of composed linking functions [5S] • For complete¬ 
ness, we reproduce the result of these linking results in what follows, while the 
definition of each individual linking function is available in [38] . 

The first composition maps from this theory into the model of binary multirela¬ 
tions; this result is reproduced below [38]. 
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Theorem T.2.4.7 sb2bm o p2sb(P) = {s : State, ss : P State | P[s, ss/ina, ac ']} 

Proof. Part of Theorem 4.8 in [33], following the definitions of p2sb and sb2bm. □ 

It considers every initial state s and set of final states ss, such that P holds when 
every initial variable x in ina is substituted with its corresponding state component 
s.x, and the set of final states ss is substituted for ac'. 

The inverse link is established by the composition of the respective inverse linking 
functions sb2p and brn2sb, whose functional composition is shown below [31]. 

Theorem T.2.4.8 sb2p o bm2sb(B ) = (9ina, ac') G B 

Proof. Part of Theorem 4.7 in [38], following the definitions of bm2sb and sb2p. □ 

For a binary multirelation B, the corresponding IUTPI predicate requires that every 
pair of initial states 6ina and set of final states ac' is in B. 

Relationship with Predicate Transformers 

The last relationship that we discuss in this section pertains to the links between 
the IUTPI model of [38] and the monotonic predicate transformers. This is achieved 
in [38] through a pair of linking functions, pt2p, which maps from the predicate 
transformers model into this one, and a functional composition in the opposite 
direction, whose combined result we call p2pt. The definition of pt2p is the result 
of Theorem 4.5 in [38], which we reproduce below. 

Theorem T.2.4.9 pt2p(PT) = Qina G -> PT< ac') 

Proof. Theorem 4.5 in [38]. £3 

For a predicate transformer PT, pt2p defines the predicate that requires that the 
initial state Qina is associated with all postconditions ad that PT is not guar¬ 
anteed not to establish from the initial state [38]. In this treatment of predicate 
transformers, predicates are modelled by their characteristic sets, such that PT is a 
monotonic function from sets of final states to sets of initial states [58] . 

The function mapping in the opposite direction is not presented in [38], however 
it can be calculated from the definitions of p2sb, sb2bm and bm.2pt, which leads to 
the following definition. 

Definition 43 p2pt(P)(if) = {s | -> .P[s, -> ip/ina, ac')} 

This definition is justified by the following lemma. 
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Lemma L.2.4.5 bm2pt(sb2bm o p2sb(P),if) — {s | -> P[s, -> if/ina , ac ']} 


Proof. 

bm2pt(sb2bm o p2sb(P),if) {Theorem IT. 2.4. 71 } 

= 6m2pi({si, ss | P[si, ss/ina, ac 17 ]},0) {Definition of bm2pt 3Kj} 

= {s j (s, -i if) ^ {si, ss | P[si, ss/ina , ac 7 ]}} {Property of sets} 

= {s | -i P[«i, ss/ma, ac'][s,-i 0/si, ss]} {Substitution} 

= {s | —i P[s, -i if /ina, ac 7 ]} 


□ 

This result concludes our discussion regarding the theory of angelic nondeterminism 
in the IUTPI and its relationship with the standard model of predicate transformers, 
where angelic and demonic nondeterminism have traditionally been characterised. 


2.5 Processes: CSP and Angelic Nondeterminism 


Motivated by the advances of concurrency in both hardware and software, and 
the lack of a clear understanding of the mechanisms involved, in 1978 Hoare [68] 
proposed the original version of Communicating Sequential Processes (ICSPI) . The 
idea was to characterise concurrent systems as the result of sequential processes that 
execute in parallel, and communicate and synchronize through primitive operations 
of input and output. However, it was not until further contributions by Hoare pm 
169] . Brookes m and Roscoe mm that the algebra of ICSPI appeared. together with 
a complete semantics, presented in all three main flavours: algebraic, denotational 
and operational. This was followed by the introduction of support for model checking 
through Failures-Divergence Refinement flFDRIi [71 i \T2\. 


In Section 2.5.1 we provide an introduction to ICSPI through a presentation of 
its most important operators and algebraic laws. In Section |2.5.2 we discuss the 
standard semantics of ICSPI as found in [T5] . The material presented here is meant 
as background for understanding both ICSPI and the existing proposals for handling 
angelic nondeterminism, which we discuss in Section 2.5.3 A full account of ICSPI can 
be found in [T7HI8] . Finally, Section 2.5.4 explores the IUTPI model of ICSPI [391 PH } . 
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2.5.1 Notation 

As the name processes in ICSPI suggests, the central notion of ICSPI is that of pro¬ 
cesses. These include basic processes, such as Skip, the process that terminates 
successfully without influence from the environment, Stop, which behaves as dead¬ 
lock and hence refuses to do anything, and Chaos, which behaves unpredictably. 

The other core notion of ICSPI is that of communication. This is achieved by 
defining events, which the system can perform only with the cooperation of its 
environment. That is, once the environment is given the possibility to perform an 
event, and it agrees to do so, then the event happens instantaneously and atomically. 
The easiest way to express this behaviour in ICSPI is through prefixing of events. 

Definition 44 (Prefixing) a —* P 

This process offers the environment the possibility to perform the event a, after 
which it behaves like P, some other ICSPl process. We consider the process Pq. 

Example 7 Pq = up —>• down —» Stop 

In this case a sequence of up and down events is followed by deadlock. A direct 
consequence of the definition of processes in this way is that recursion can occur 
naturally as part of the functional style of ICSPI as shown in the following example. 

Example 8 (Mutual Recursion) 

Pi = up ^ P 2 
P 2 = down —» P\ 

These processes are defined by mutual recursion. The set of possible traces of events 
of P\ is a superset of Example [7J It never terminates nor deadlocks. 

ICSPI presents a rich set of operators that allow more complex interactions to be 
modelled. The first that we consider in the sequel is called external choice. 

Definition 45 (External Choice) P □ Q 

In this case the environment is offered the choice between behaving as either P or 
Q. This operator satisfies a number of laws as reproduced below HU. 

Lemma L.2.5.1 (Laws of External Choice) 


Idempotent :P □ P = P 
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Associative :P □ (Q □ R) — (P □ Q) □ R 
Symmetry :P □ Q — Q □ P 
Unit :P □ Stop = P 


Perhaps the most interesting result here is that Stop is the unit of external choice. 
When the environment is given the choice between deadlocking or behaving as P, 
it can only choose to behave as P. 


External choice can be used to generalize the prefixing operator of Definition 44 


Instead of permitting a single event, prefixing can be of a set of events i?CE over 
some alphabet £ as follows. 


Definition 46 x : E —>P—Ox:E»x—> P 


This is basically a distributed external choice over all possible events in E. Moreover, 
ICSPI permits the definition of channels, which can carry values of a certain type E. 
For a channel name c of type E, the set of possible events that represent com¬ 
munications over c is defined by considering events with composed names prefixed 
by c as follows: { c.x \ x G E}. Usually in the ICSPl syntax, channel communica¬ 
tions are prefixed with ? to denote input communications while ! denotes output 
communications, as shown in Example [9j 

Example 9 (Buffer) P 3 = in?x —> outlx —* P 3 

These annotations are syntactic sugar for the corresponding events in.x and out.x. 
In this example we have an input communication over channel in, which is then 
relayed onto the output channel out, effectively behaving as a one place buffer. 

In addition to external choice, there is an operator in ICSPI known as internal 
choice. 

Definition 47 (Internal Choice) P n Q 

This choice is also known as demonic choice, since the environment cannot possibly 
force the system into behaving as either P or Q. Indeed the system can choose either 
at its discretion. For instance, if Stop is offered as a choice, then the system may 
deadlock. This operator satisfies a number of important laws, of which a summary 
is included below nzt 

Lemma L.2.5.2 (Laws of Internal Choice) 


Idempotent :P fl P = P 









2.5. PROCESSES: CSP AND ANGELIC NONDETERMINISM 


69 


Associative :P n (Q n R) = (Pn Q) n R 
Symmetry :P n Q — QV\ P 
Distributive :P n (Q □ R) = (P n Q) □ (P n R) 


Of these, distributivity is perhaps the most important. In fact, most ICSPl operators 
distribute through internal choice, except, for example, recursion mt 

The next operator of interest is that of sequential composition; it allows the 
composition of processes sequentially, other than by using prefixing. 

Definition 48 (Sequential Composition) p ; Q 

A consequence of ICSPf s functional language is that it is not possible to pass local 
process information through sequential composition. So for instance, the following 
process P 4 , does not behave as would intuitively be expected in ICSPl 

Example 10 P 4 = inlx — > Skip ’ out\x — > Stop 


This is because the scope of x is local to both of these processes, and not global. 
However, this problem can be obviated by the introduction of parallelism in ICSPl 
ICSPl provides a number of different parallel composition operators |T7]. Here we 
consider the most generic operator, which is the alphabetised parallel composition. 

Definition 49 (Alphabetised Parallel Composition) P \[aP \ aQ]\ Q 


Alphabetised here means that processes P and Q only need to agree on events in 
the intersection of the alphabet of events of each process as defined in the operator: 
aP and aQ, respectively. Events not in the intersection do not need the agreement 
of both processes. For instance, to specify the behaviour that may be expected of 


the process P 4 from Example 10, we can consider a third process in parallel that 
communicates the desired value between the two processes. 


Example 11 (Parallel Composition) 


P 5 


( ((inlx —* tlx —> Skip ) ; {tly —> outly —> Stop)) \ 

|[{| in, out, t |}|{| * |}]| 

^ (tlz —> tlz —> Skip) ) 


In this example, we add the extra channel t that serves as an internal communication 
channel. However, in pursuing this style of specification we have added an externally 
observable set of events t, which may not always be desired. [CSP] provides a solution 
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for this kind of modelling problem as well. 

Events can effectively be hidden from other processes when they are not needed. 
This abstraction is achieved in ICSPI bv using the hiding operator. 

Definition 50 (Hiding) P\E 

Here the process P has the events in the set E hidden from other processes, such that 
events in E become internal events that can happen irrespective of the cooperation 
from the environment HZ]. In the following example, we give the effect of hiding 
the communications over t of P$. 

Example 12 (Hiding) P 6 = P 5 \{\ t |} = inix —> out\x —> Stop 

This new process P 6 is equivalent to the process that takes a communication over 
channel in, relays over channel out and then deadlocks. 

This concludes our discussion on the notation of ICSPI and the most important 
concepts underlying its operators and algebraic properties. In the following section 
we focus our attention on the denotational semantics of ICSPI 

2.5.2 Semantics 

Many interesting properties in ICSPI are proved using its algebraic laws. For instance, 
step-laws HZ! provide a mechanism for a stepwise calculation of the behaviour of 
operators. In addition, ICSPI also has a denotational semantics, which we discuss in 
this section. 

Traces 

The simplest semantic model proposed for ICSPI considers the observable sequences 
of events that a process may produce. For a CSP process, where £ is the set of all 
possible events, the set of traces is given by the function traces : CSP —* P(seq£). 
For instance, the set of traces for process Po from Example [7] is obtained as follows. 

traces(P 0 ) = {(), {up), {up, down)} 

This includes the empty sequence followed by all possible sequences of events. 

Refinement in this model allows reasoning about safety, since a process P is 
refined by Q if, and only if, the set of trances of Q is a subset of those of P 

Definition 51 (Traces Refinement) P E T Q traces(Q ) C traces(P) 
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In other words, every behaviour of Q is a possible behaviour of P. In particular, 
Stop, refines every process in the traces model, since it is a possible behaviour of 
every process. This motivates the definition of the following semantic model. 


Failures 

The following semantic model of ICSPI considers the set of events that may be refused 
by a process after a certain trace of events. This allows reasoning about liveness, in 
that a process like Stop no longer refines every other process. For a CSP process, 
the set of failures, is given by the function failures : CSP —y P(seqE x PE). For 
example, in the case of process Pq, and assuming that the alphabet E is {up, down} 
the failures are obtained as follows. 

( ((), {down}), ((),(/)), ((up), {up}), ((up),®), | 

failures(P 0 ) = < ((up, down), {up, down}), ((up, down), {up}), > 

[ ((up, down), {down}), ((up, down) ,0) J 

In other words, once the process deadlocks it refuses every possible event. Failures 
allow the semantics of external and internal choice to be distinguished [Ill- 

Refinement is defined by considering the refusal pairs in addition to the traces. 

Definition 52 (Failures Refinement) 

P Q traces(Q) C traces(P) A failures(Q) C failures(P) 

A process P is refined by Q, if, and only if, in addition to the traces of Q being a 
subset of those for P, the failures of Q are also a subset of P. 

This is almost the complete semantics for ICSPI except, for the treatment of 
divergence, which requires one final addition to the model m- 


Failures-Divergences 

Divergence can arise in ICSPI in different ways. For example, the most obvious is 
through the process Chaos, whose arbitrary behaviour includes divergence, while a 
process such as P = P, with an infinite recursion and no visible events, is also a 
divergence. The Chaos process in m is the most non-deterministic process that 
does not include divergence. Here we consider the behaviour of Chaos to be com¬ 
pletely arbitrary, which corresponds to div in the standard ICSPI failures-divergences 
semantics. The approach followed in ICSPl is that any two processes that can diverge 
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immediately are equivalent and useless, and that, once a process diverges, it can 
perform any trace of events and refuse any event HU. 

The function divergences : CSP —> P(seq E) gives the set of divergences for a 
CSP process. We consider the following example, where the process P 7 offers the 
event a followed by divergent behaviour. 

Example 13 (Divergence) P 7 = a —> Chaos 

Its divergences are the set of all traces that lead to divergent behaviour. In the 
example above this is (s : seqE | (a) < s}, that is, every trace that has a as the first 
event. In addition, because divergences(P) includes every trace on which process 
P can diverge, the notion of failures needs to be redefined. This is because once 
a process has diverged it can refuse anything. These failures are obtained by the 
following function failures±. 

Definition 53 failures±(P) = failures(P) U{s : seqE, ss : £ | s G divergences(P)} 

A process P can then be characterised through a pair (failures _L(P), divergences(P)). 

Finally, the refinement order for processes P and Q in the failures-divergences 
model is given as follows. 

Definition 54 (Failures-Divergences Refinement) 

P Qfd Q <=>• failures±(Q ) C failures^(P) A divergences(Q) C divergences(P) 


Process P is refined by Q if, and only if, the set of failures± and divergences for Q 
are a subset of those of P. Consequently, Chaos is refined by every other process. 


This concludes our discussion on the standard ICSPI semantic model of failures- 
divergences im A full account of the ICSPI semantics, including the operational 
semantics, which is the basis for the IFDRl model checker, is available in |TT]. In Sec- 
we present the lUTPl model of ICSPI 


tion 2.5.4 


2.5.3 Angelic Nondeterminism in CSP 

As we have previously discussed, the concept of angelic nondeterminism has also 
been considered in the context of ICSPI Here we consider in more detail the different 
approaches proposed and discuss their properties. 
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Lattice-Theoretic Model 

In [43] Tyrrell et al. present an axiomatized model for an algebra resembling ICSPI 
At the core of their proposal is the notion that external choice, referred to as angelic 
choice, is a dual of internal choice in a lattice-theoretic model. This is achieved by a 
stepwise construction that begins with proper processes, that is, processes without 
choice, parallelism or recursion, which are modelled as finite sequences of events 
that terminate with either an empty sequence () or with fh This is sufficient to 
give semantics to the following processes [43], where [_] : Proc(E) —y seqS is the 
semantic denotation for a process, Proc(S) is the set of all processes constructed 
from Skip, Stop and prefixing of events in E, and ^ is sequence concatenation. 

Definition 55 (Proper Processes) 

[Skip] = () 

[Stop] = Ll 

[o ->• P] = a^ [P] 

A partial order <p is then defined for [Proc(E)], such that is the least element, 
and for any two processes P and Q, their order is given recursively in terms of the 
suffix of the respective sequences of events. 

Definition 56 (Refinement of Proper Processes) 

V s G [Proc(E)] • D < P s 

V e e £, s, t G [Proc(E)] • e ^ s <p t 44 s <p t 


This corresponds to the refinement order for proper processes, where Stop is the 
least element of the order. The definition for other operators, such as restriction 
and sequential composition, is further specified in [43]. 

Having defined the refinement order for proper processes, an order-embedding 
is defined from the set of sequences into the IFCDI lattice. A lattice L is a free 
completely distributive lattice over a partially ordered set C , written FCD(C), if, 
and only if, “there is a completion (j) : C —> L such that for every iFCDl lattice M and 
function / : C —» M, there is a unique function (p* M : L —>• M which is a complete 
homomorphism and satisfies (j)* M o <j) = /” [411 143j . We illustrate this functional 
relationship in Figure A2 The IFCDI provides a number of interesting properties, 
namely, that each element can be described as the meet of joins of subsets of (f)C , 
or the join of meets of subsets of (f)C |43j . This is essential in the characterisation of 
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recursive processes, which is achieved through the weakest fixed point of the lattice 
that excludes the least element [43]. Liftings are then defined for unary and binary 
operators into the IFCDI lattice, such that internal and angelic choice correspond to 
the meet and join, respectively. Definitions are also given in [43] for the alphabetised 
parallel operator and recursive processes. 

The construction of [43] provides for an elegant algebra, whose axiomatic descrip¬ 
tion follows from the construction of the IFCDI lattice. However, with Stop as the 
least element of the refinement order, it is not possible to distinguish deadlock from 
divergence in this model. Thus, the semantics is quite different from the standard 
model of failures-divergences na. 


Operational CSP Combinators 

In 1 13] Roscoe proposes an angelic choice operator through combinator style oper¬ 
ational semantics of ICSPI Traditionally [47, HS|, the operational semantics of ICSPI 
has been defined through a Labelled Transition System (ILTSIh An ILTSl is a directed 
graph, where each edge is labelled with an action that denotes what happens when 
the system transitions between states. In ICSPI the set of possible labels includes the 
events in S and another two special events: / which signals successful termination 
and does not require the cooperation of the environment (such as in the case of 
Skip), and r which is an internal event invisible to the environment. Hence, / is 
always the last event possible and leads to a special end state fb 

Operational semantics for ICSPI operators can be given in the style of Plotkin’s 
Structured Operational Semantics (1SOSI) [73]]. For example, the process Stop has no 
actions, while Skip can be given the following rule [T8] . 


Skip A 0 

Since the transition relation always associates Skip to 0 with action /, the bar is 
empty above, while the transition below means that Skip can transition into the 
final special state 0 by doing action /. External choice, on the other hand, requires 
more rules since an internal event r does not decide the choice [13], 

P -4 P' Q 1 * Q' 

pn p r a Q ’ pa pa Q' 

In these two cases, an internal action can be performed by either P or Q, in which 
case, the r event is promoted, while the choice is not resolved. Any other event a, 
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including /, decides the choice between processes P and Q. 


P AP' 

P □ Q A P' 


(« ^ t), 


Q^Q' 

PDQ^Q' 


(a ^ r) 


Given the number of different rules needed to specify an operator, and the fact 
that it is actually possible to define operators that are not conformant with the 
failures-divergences semantics oflCSPip]. Roscoe proposes an alternative known as 
combinator style operational rules. The idea is that it is possible to distinguish pro¬ 
cess arguments whose actions are immediately relevant from those that are not HS|. 
The latter are off, while the former are on. Thus the semantics of external choice 
can be given as 


((a,.), a, 1 ), ((., a), a, 2 ) for each a E £ 

where each triple is defined by: a tuple that denotes the actions that each on 
process performs (with . indicating none), ordered according to the indices of the 
arguments, the overall action performed, and the format of the resulting state given 
in ICSPI syntax. In the case of external choice, for each event a in E, either the first 
process, whose tuple is (a,.), or the second process, whose tuple is (., a) can decide 
the choice. The resulting event performed by the system is a, and the resulting state 
is either 1 , which corresponds to the first process or 2, which corresponds to the 
second process. 

An assumption of this style of specification is that r events are always promoted 
for arguments that are on, so there is no need to include rules for this [IS] . Finally, 
the specification of the external choice operator also requires rules for termination: 


((/,.),/,«),((., 

In this case, the termination of either process leads to termination, in which case 
the system transitions to the special state with the visible action being /. 

The interesting result about this style of operational specification, is that every 
such operator conforms to the failures-divergences semantics of lCSPl and Roscoe [£ 8 ] 
envisions this as a mechanism for adding new operators to IFDRl Moreover, in ra 
Roscoe also gives a ICSPI process, which is able to simulate processes specified using 
combinator style semantics. 

Having defined his combinator-style operational rules, Roscoe M proposes an 
angelic choice operator P 0 Q (Example 9.2 in |l 8 j). which gives the environment 
a choice over both actions P and Q as long as the environment picks one that they 
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both offer. In fact, to achieve this definition Roscoe defines a family of operators 
P s \°\ Q and P 0,, Q, where s is a non-empty trace that keeps track of the difference 
in events performed “ahead” by the other operand. The operational semantics of 
this angelic choice operator is reproduced below m- 

• For 0: V«6 £: ((a,.), a, 1 0< a ) 2), ((., a), a, l< a ) 0 2) 

((/,.),/, If) and ((.,/),/, fl) 

• For (6) "\0: V a G E: ((6,.), r, 1,0 2), ((., a), a , 0 2) 

(<y,-) ; R 2 ) and ((.,/),/,fi) 

• For 0 (6 p s : Va6S: ((.,6), r, 1 0 S 2), ((a,.), a, 1 0 (aj6> '\ 2) 

and ((.,/),r, 1) 

The first set of rules for P 0 Q considers the case where either P or Q perform 
the event a , in which case the event a is visible. If P performs event a, then the 
resulting process P0( a > Q has the sequence (a) corresponding to the events Q could 
catch up to. Similarly, there is a rule for the case when Q performs the event a. If 
either process terminates, then / is observed and the system transitions to hi. 

The second set of rules for P{b)^ s 0 Q considers the case where process Q is 
ahead. If P performs the event b, then an internal event is observed, and the 
resulting process P s 0 Q considers the tail s of the sequence. Process Q could 
perform another a event and step further ahead, in which case a is appended to the 
initial sequence (b) ^ s. If P terminates, then an internal event r is observed and 
the choice is resolved in favour of Q. Otherwise if Q terminates, then / is observed 
and the system transitions into O. The last set of rules describes the case where P 
is ahead of Q instead. 

In summary, a process whose trace is behind the other is allowed to catch up, 
while if it terminates then the choice resolves in favour of the other process. We 
consider the following example, with £ = {a, b}. 

Example 14 a —> Chaos 0 a —> Skip 

Suppose the left-hand side process a —>■ Chaos performs event a first, then we arrive 
at the configuration Chaos 0( a ) a —> Skip. Now either a —> Skip catches up, in 
which case the process can then potentially terminate, or we observe events from 
Chaos with the potential for non-termination. Similar reasoning applies to the case 
where the right-hand side performs event a first. In other words, an equivalent ICSPI 
process describing this behaviour would be a — * (Chaos n Skip), where following 
the event a, it may terminate or diverge. Essentially, this angelic choice operator 
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is a variant of the external choice operator that is able to delay the choice between 
either branch, as long as the environment can control that choice. 

It is clear from Example [l4] that the angelic choice operator of Roscoe [TS] is not 
able to avoid divergence. Ideally, a counterpart to the angelic choice of the refinement 
calculus should avoid divergence and favour successfully terminating processes, just 
like in most theories of angelic nondeterminism. 

2.5.4 UTP Model 

As we have previously discussed. ICSPI can be characterised in the lUTPl through the 
theory of reactive processes pnn. In addition to the variables ok and ok' of the 
theory of designs, this theory includes the variables wait , tr, ref and their dashed 
counterparts, that record information about interactions with the environment. 

The variable wait records whether the previous process is waiting for an in¬ 
teraction from the environment or, alternatively, has terminated. Similarly, wait' 
ascertains this for the current process. The variable ok indicates whether the pre¬ 
vious process is in a stable state, while ok' records this information for the current 
process. If a process is not in a stable state, then it is said to have diverged. A 
process only starts executing in a state where ok and -> wait are true. Successful 
termination is characterised by ok' and -> wait' being true. 

Like in standard ICSPI the interactions with the environment are represented 
using sequences of events, recorded by tr and tr'. The variable tr records the 
sequence of events that took place before the current process started, while tr' 
records all the events that have been observed so far. Finally, ref and ref record 
the set of events that may be refused by the process at the start, and currently, as 
required for the appropriate modelling of deadlock HD. 

Healthiness Conditions 

The theory of reactive processes R is characterised by the functional composition 
of the following three healthiness conditions, which we reproduce below [551 

Definition 57 (Reactive Process) 

R1(.P) = P A tr < tr' 

R2(P) = P[{), tr' — tr/tr , tr'] 

R3(P) A E rea <\ wait \> P 
R (P) = R3 o R1 o R2(P) 
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R1 requires that in all circumstances the only change that can be observed in 
the final trace of events tr' is an extension of the initial sequence tr, while R2 
requires that a process must not impose any restriction on the initial value of tr. 
Finally, R3 requires that if the previous process is waiting for an interaction with 
the environment, that is wait is true, then the process behaves as the identity of the 
theory U rea [33 SI], otherwise it behaves as P. The healthiness condition of the 
theory of reactive processes is R, the functional composition of Rl, R2 and R3. 


CSP Processes as Reactive Designs 

The theory of ICSPI can be described by reactive processes that in addition also 
satisfy two other healthiness conditions, CSP1 and CSP2, whose definitions are 
reproduced below [33SI3- 

Definition 58 (CSP) 

CSP1(P) = P V Rl(-i ok) 

CSP2 (P) = P ; ((ok => ok') A tr’ = tr A ref = ref A wait' = wait ) 

The first healthiness condition CSP1 requires that if the previous process has di¬ 
verged, that is, ok is false, then extension of the trace is the only guarantee. CSP2 
is H2, using the J-split of Cavalcanti and Woodcock [33], restated with the extended 
alphabet of reactive processes. 

A process that is R, CSP1 and CSP2-healthy can be described in terms of 
a design as proved in [33 ®J. We reproduce this result below, where we use the 
notation P° = P[o, w/ok', wait}. 

Theorem T.2.5.1 (Reactive Design) For every CSP process P, 

R(-> P f f h P}) = P 

Proof. Theorem 12 in [33j, or Theorem 8.2.2 in pITJj . □ 

This result is important as it allows ICSPI processes to be specified in terms of pre 
and postconditions, such as is the case for sequential programs, while the healthiness 
condition R enforces the required reactive behaviour. 
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Operators 

The operators of ICSPI can then be defined using reactive designs. In what follows 
we present the most important ICSPI operators and discuss their specification, where 
use the subscript R to distinguish these definitions from those in other theories. 
The first process of interest is SkipR, which terminates successfully. 

Definition 59 (Skip) SkipR = R [true b tr' — tr A -> wait') 

Its precondition is true since it never diverges and its postcondition requires that 
the trace of events tr is unchanged while it terminates —> wait'. 

On the other hand, the process that never terminates is defined by StopR. 

Definition 60 (Stop) StopR = R (true b tr' = tr A wait') 

Its precondition is true while the postcondition requires that not only is the trace 
of events tr never changed, but the process is always waiting for the environment: 
wait' is true. 

Immediate divergence is captured by the process ChaosR. 

Definition 61 (Chaos) ChaosR = R (false b true) 

In this case, the precondition is false, since it always diverges, then there is no way 
to satisfy the precondition of this process, and its postcondition is true. In fact, this 
design becomes just true, and the function R ensures that the only observation that 
can be made is the extension of the sequence of traces tr. 

Prefixing can be described in terms of reactive designs as follows. 

Definition 62 (Prefixing) 

a —>r SkipR = R (true b ( tr' = tr A a ^ ref) <3 wait' > ( tr' — tr^ (a))) 

The precondition is true, while in the postcondition there is a conditional, which 
defines two possible observations of its behaviour. When the process is still waiting 
for an interaction from the environment, and wait' is true, then the trace of events 
remains unchanged while the event a is not in the set of refusals ref. When the 
process is no longer waiting, and wait' is false, then the event a is appended to the 
initial trace of events tr. 

In the case of internal choice the environment has no control over the choice. 


Definition 63 (Internal Choice) P IHr Q = R(-i Pj A -> Qj b Pj V Qj) 
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In this case the precondition requires that the precondition of both processes P and 
Q, -> Pj and -i Qj, holds. Moreover, the postcondition is the disjunction of the 
postconditions of P and Q. Pj and Qj, respectively, as either postcondition may be 
established. 

External choice, on the other hand, presents a more complex definition as a 
reactive design. 

Definition 64 (External Choice) 

P Dr Q = R(-> Pj A -i Qj b (Pj A Qj) <3 tr' = tr A wait' > ( Pj V Qj)) 


Like in the definition for internal choice, both preconditions of P and Q need to be 
satisfied. The postcondition defines two cases: when the process is waiting and the 
trace of events has not changed, and the only possible observations of the external 
choice are those that are admitted by the postconditions of both processes, and, 
once a choice is made, the observations are either those of P or Q , according to the 
postconditions. 

The final, and perhaps most complex, yet fundamental operator that we consider 
in this discussion is sequential composition. 


Definition 65 (Sequential Composition) 


( 


p ;kQ = R 


/ (R1 (Pj) ; R1 (true)) 


\ 


A 


\ 


\ -i (Rl(-Pj) ; (-i wait A R1 o R2 (Qj))) ) 


h 


V Ri (Pj); (ii< wait > Rl o R2 (Qj)) 




The precondition is the conjunction of two terms, the first of which requires that 
the precondition of P is satisfied. This is similar to the sequential composition of 


designs (Theorem T.2.4.4), apart from the fact that Rl is required to hold. The 
second term requires that the postcondition of P satisfies the precondition of Q when 
wait is no longer true, that is, when it actually starts executing. This is again similar 
to the result for designs, apart from the fact there is the variable wait and that Rl 
must hold, and so must R2 for the negation of the precondition of Q. Finally, the 
postcondition is given by the sequential composition of the postcondition of P with 
a conditional, where: if P is still waiting for the environment, then it behaves as the 
identity II, otherwise it behaves as the postcondition of Q, where both Rl and R2 
are required to hold. 
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This concludes our discussion of the IIJTPI model of ICSP1 We have covered the 
definition of the most important operators as reactive designs. In the following 
section we summarise the main points of this chapter. 

2.6 Final Considerations 

The concept of angelic nondeterminism has been employed in many different applic¬ 
ations as we have discussed. Its original treatment made the abstract specification 
of algorithms in problems involving backtracking and search possible. In the context 
of theories of correctness, it has traditionally been studied in the refinement calculus 
of Back [32], Morris [29J and Morgan [3T] through the universal monotonic predicate 
transformers, where it can be characterised as the least upper bound of the lattice. 

In the context of relational theories, however, capturing both angelic and demonic 
nondeterminism is not entirely trivial. Rewitzky [35]| provided the fundamental 
theory of binary multirelations in which angelic nondeterminism can be characterised 
in terms of relations between states and sets of states. This has been used by 
Cavalcanti et al. [38] to encode both angelic and demonic nondeterminism in the 
relational setting of Hoare and He’s lUTPl [39]. a framework suitable for studying 
different programming paradigms, including process algebras like ICSP1 

ICSPI has received some attention regarding the concept of angelic nondetermin- 
ism as well. In particular, Tyrrcl et al. [43] have suggested a lattice-theoretic 
model for an algebra resembling ICSPI where angelic choice is the dual of internal 
choice. However, the semantics is quite different from the standard model of failures- 
divergences of ICSPI [1171 ITS ]. Roscoe has also proposed an angelic choice operator, 
which however, does not avoid divergent behaviour. Ideally, an angelic choice coun¬ 
terpart to the refinement calculus should avoid divergent behaviour. This notion, 
however, has been elusive. We address this problem in the remainder of this thesis. 
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Figure 2.2: Free Completely Distributive Lattice completion 



Chapter 3 

Extended Binary Multirelations 


In this chapter we introduce an extended model of binary multirelations that caters 
for sets of final states that are not necessarily terminating. This is achieved by ex¬ 
tending Rewitzky’s [35] model of upward-closed binary multirelations with a special 
state that denotes the possibility for non-termination. 

The following Section |3.1 introduces the model. In Section T2 the healthiness 
conditions are defined; their characterisation as fixed points is discussed in Sec¬ 


tion 3.3 In Section 3.4 the refinement order is defined, while the operators are 


defined in Section 3J3 Section 3T formalizes the relationship between this model 
and that of [35]. Finally, we summarize our results in Section 3.7 


3.1 Introduction 

Similarly to the original model of binary multirelations, a relation in this model 
associates to each initial program state a set of final states. The notion of a final 
state, however, is different, as formalised by the following type 5Mj_. 

Definition 66 (Extended Binary Multirelation) 

State _l == State U {_L} 

BM± == State O P State± 

Each initial state is related to a set of final states of type State±, a set that may 
contain the special state _L, which denotes non-termination. If a set of final states 
does not contain _L, then termination in one of its states is guaranteed. 

Similar to the original theory of binary multirelations, the set of final states 
encodes the choices available to the angel. The demonic choices are encoded by the 
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different ways in which the set of final states can be chosen. 

We consider the following example, where the value 1 is assigned to the program 
variable x, but termination is not guaranteed. This is specified by the following 
relation, where : = B m ± is the assignment operator that does not require termination. 

Example 15 x :—bm ± 1 = {s : State, ss : P State± \ s © (x t—>■ 1) G ss} 


Every initial state s is related to a set of final states ss where the state obtained 
from s by overriding the value of the component x with 1 is included. Since ss is 
of type State±, the sets of final states ss include those with and without _L. The 
angelic choice, therefore, cannot guarantee termination. In the following examples 
and definitions we may omit the type of s and ss for conciseness; they always have 


the same types as in Example 15 


It is also possible to specify a program that must terminate for certain sets of 
final states but not necessarily for others as shown in the following example, where 
n bm ± is the demonic choice operator of the theory. 


Example 16 


(x :—bm 1 ) U BM± (x :—bm± 2 ) 


{s, ss | (s © (x i->- 1) e ss A _L ^ ss) V (s © (x t->- 2) e ss)} 

Since BM is in fact a subset of BM±, it is possible to use some of the existing 
operators, such as the terminating assignment operator :=bm■ In this case, there is 
a demonic choice between the terminating assignment of 1 to x, and the assignment 
of 2 to £ that does not require termination. 


3.2 Healthiness Conditions 


Having defined the type of the extended binary multirelations BM±, in the follow¬ 


ing Sections 3.2.1 to 3.2.4 we introduce the healthiness conditions that characterise 
the relations in the theory. 


3.2.1 BMHO 

The first healthiness condition of interest is BMHO. It enforces the upward closure 
of the original theory of binary multirelations [35] for sets of final states that are 
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necessarily terminating, and in addition enforces a similar property for sets of final 
states that are not required to terminate. 

Definition 67 (BMHO) 

V s, ssq, ssi • ((s, ssq) 6 5 A ssq C ssi A (1 G ssq _L G ssi)) (s, ssi) G B 


It states that for every initial state s, and for every set of final states sso in a relation 
B , any superset ssi of that final set of states is also associated with s such that _!_ 
is in sso if, and only if, it is in ssi. That is, BMHO requires the upward closure for 
sets of final states that terminate, and for those that may or may not terminate, 
but separately. 

The definition of BMHO can be split into two conjunctions as established by the 


following Lemma L.3.2.1 BMH is the healthiness condition of the original theory 


whose definition was reproduced in Section |2.3[ Proof of these and other results to 
follow can be found in Appendix |Bj 


Lemma IL.3.2.11 


BMHO 

V s, ss 0 , ss i • 

((s, sso) £ B A sso C ssi A 1 £ sso A 1 G ssi) => (s, ssi) G B 
A 

y BMH 

This result confirms that for sets of final states that terminate this healthiness con¬ 
dition enforces BMH exactly as in the original theory of binary multirelations j35j . 




3.2.2 BMH1 

The second healthiness condition BMH1 requires that if it is possible to choose a set 
of final states where termination is not guaranteed, then it must also be possible to 
choose an equivalent set of states where termination is guaranteed. This healthiness 
condition is similar in nature to H2 of the theory of designs. 

Definition 68 (BMH1) V s : State , ss : P State± • (s, ssU{_L}) G B (s, ss) G B 

If it is possible to reach a set of final states (ss U {T}) from some initial state s, 
then the set of final states ss, without _L, so that termination is required, is also 
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associated with s. 

This healthiness condition excludes relations that only offer sets of final states 


that may not terminate. We consider the following Example 17 


Example 17 {s : State , ss : P State± \ s © (x i —> 1) e ss A 1 G ss} 


This relation describes the assignment of 1 to the program variable x where termin¬ 
ation is not guaranteed. It discards the inclusive situation where termination may 
indeed occur, and so is not BMHl-healthy. The inclusion of a corresponding final 
set of states that requires termination does not change the choices available to the 
angel as it is still impossible to guarantee termination. 


3.2.3 BMH2 

In this model, both the empty set of final states and {_L} characterise abortion. This 
redundancy, which facilitates the linking between theories, in particular with the 
original theory of Rewitzky [3SJ, is captured by the following healthiness condition. 

Definition 69 (BMH2) V s : State • (s, 0) G B (s, {T}) G B 


It requires that every initial state s is related to the empty set of final states if, and 
only if, it is also related to the set of final states {T}. By allowing (s, 0) to be part 
of the model, we can easily characterise the original theory of binary multirelations 
as a subset of ours. 

If we consider BMH1 in isolation, it covers the reverse implication of BMH2 
because if (s, {_L}) is in the relation, so is (s, 0). However, BMH2 is stronger than 
BMH1 by requiring (s, {_L}) to be in the relation if (s, 0) is also in the relation. 

This new model of binary multirelations is characterised by the conjunction of the 
healthiness conditions BMHO, BMH1 and BMH2 to which we refer as BMH^. 


In Section |3.3| we provide alternative definitions of the healthiness conditions in 
terms of fixed points. This characterisation enables us, for instance, to establish 
that the healthiness conditions are idempotent and monotonic. 


3.2.4 BMH3 

The fourth healthiness condition characterises a subset of the model that corresponds 
to the original theory of binary multirelations of Rewitzky [25] • 
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Definition 70 (BMH3) 

V s : State • (s, 0) ^ B =>- (V ss : P State± • (s, ss) & B => A L ^ ss) 

If an initial state s is not related to the empty set, then it must be the case that for 
all sets of final states ss related to s, _!_ is not included in the set ss. 

The healthiness condition BMH3 excludes relations that do not guarantee ter¬ 
mination for particular initial states, yet establish some set of final states. An 
example of such a relation is Example [15] This is also the case for the original 
theory of binary multirelations. If it is possible for a program not to terminate 
when started from some initial state, then execution from that state must lead to 
arbitrary behaviour. This is the same intuition for H3 of the theory of designs [35] . 


3.3 Healthiness Conditions as Fixed Points 


Having defined the healthiness conditions of the theory, in this section we consider 
their definitions via idempotent functions, whose fixed points are the relations in 
the theory. This is similar to the approach followed in IUTPI theories. This dual 
characterisation is used in Section 3.6| to establish an isomorphism between a subset 
of this model and the original theory of binary multirelations. 

For each healthiness condition of interest, we use the notation bmh x to denote 
the function whose fixed points correspond exactly to the relations characterised by 
the healthiness condition BMHx, that is bmh x (5) = Stt BMHx. Furthermore, 
the notation bmh x y denotes the functional composition of the functions bmh x and 
bmh y , so that bmh xy (5) = bmh x o bmh y (5). 


In the next Section 3.3.1[ each healthiness condition is characterised by a corres¬ 
ponding function. A full account of the properties of the functional composition of 
each function is found in Appendix |B.2| Moreover, in Sections 3.3.2 and 3.3.3 the 
two functions that characterise the model as a whole, and its subset of interest, are 
presented. 


3.3.1 bmho, bmhi, bmh 2 and bmh 3 

The first function of interest is bmho, whose fixed points are the BMHO-healthy 
binary multirelations. It is defined as follows. 
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Definition 71 


bmho(-B) = {s, ss | 3 ss 0 • (s, ss 0 ) G B A ss 0 C ss A (1 G ss 0 yy _L G ss)} 


For every initial state s in B, whenever it is related to a set of final states sso it is 
also related to its superset ss, such that _L is in ss 0 if, and only if, _L is also in ss. 
In other words, bmh 0 enforces the upward closure of a relation B just like BMHO. 
The healthiness condition BMH1 is characterised by the fixed points of bmhi. 

Definition 72 bmhx (5) = (s, ss | ( s , ss U {_L}) G B V (s, ss) G B} 

Its definition considers all pairs (s, ss) in B, such that if a set of final states includes 
_!_ then there is also a set of final states without _L. 

BMH2-healthy relations are fixed points of the function bmli 2 , whose definition 
is presented below. 

Definition 73 bmh 2 (5) = {s, ss | (s, ss) G B A ((s, {_L}) G B (s, 0) G B)} 

The definition considers every pair (s, ss) in B and requires that (s, {-L}) is in B if, 
and only if, (s, 0) is also in B. If the equivalence is not satisfied then bmh 2 yields 
the empty set. 

Finally, the BMH3-healthy relations are characterised by the fixed points of 

bmh 3 . 


Definition 74 bmh 3 (5) = {s, ss \ ((s, 0) G B V 1 ^ ss) A (s, ss) G B} 


The definition considers every pair (s, ss) in B and requires that either ss is a set 
of final states with guaranteed termination, and so without _L, or (s, 0) is in B, and 
thus the initial state s leads to arbitrary behaviour. 


The following Lemmas L.3.3.1 to L.3.3.4 establish that the fixed points of each 
bmh x function are exactly those relations that satisfy the corresponding healthiness 
condition BMHx. 


Lemma L.3.3.1 


Lemma L.3.3.2 


Lemma L.3.3.3 


Lemma L.3.3.4 


BMHO bmho(-B) 
BMHI yy bmhi(5) 
BMH2 yy bmh 2 (5) 
BMH3 yy bmh 3 (5) 


B 

B 

B 

B 
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Furthermore, the following Lemmas |L.3.3.5| to |L.3.3.8| establish that each bmh x 
function is idempotent. 


Lemma L.3.3.5 


Lemma L.3.3.6 


Lemma L.3.3.7 


Lemma L.3.3.8 


bmh 0 o bmh 0 (5) 
bmhi o bmhi (5) 
bmh 2 o bmh2(5) 
bmh 3 o bmhs(5) 


bmh 0 (B) 
bmhi (5) 

bmh 2 (B) 

bmh 3 (B) 


This section concludes our discussion regarding the definition of the bmh x functions. 
Properties of their functional composition are studied in detail in Appendix |B.2| In 
the following Sections 3.3.2 and 3.3.3 we focus our attention only on the functional 
compositions that characterise the theory of BMH0-BMH2 multirelations and the 
subset, that in addition, satisfies BMH3. 


3.3.2 bmho,i .2 


The relations in the model of extended binary multirelations are characterised by 
the conjunction of the healthiness conditions BMHO, BMHI and BMH2, oth¬ 
erwise also named as BMHi as depicted in Figure [TTT[ These relations can also 
be expressed as fixed points of the functional composition of the functions bmho, 


bmhi and bmh 2 , as shown by the following Lemma L.3.3.9 

Lemma IL.3.3.91 


bmh 0 , 1 , 2 ( 5 ) = < 

s, ss 

3 ss 0 • ((s, ss 0 ) G B V (s, ss 0 U { _L}) G B) 1 
A((s,{l})GB«(s,|)GB) 



A ss Q C ss A (_L G ssq AA 1 G ss) ) 


The notation bmh 0 ,i .2 denotes the functional composition bmh 0 o bmh x o bmh 2 . 
The order of this functional composition is justified by Theorem T.3.3.1 and results 
established in Appendices |B.2.5 and B.2.6 


Theorem T.3.3.1 BMHO A BMHI A BMH2 AA bmh 0 x 2 (h>) = B 


Proof. Follows from Lemmas L.3.3.10 to L.3.3.13 below. 


□ 


That is, a multirelation B is a fixed point of bmho, 1 , 2 , if, and only if, it satisfies 
the healthiness conditions BMHO, BMHI and BMH2. The proof of this theorem 
relies on the results which we discuss in the following paragraphs. 
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First we establish in Lemmas L.3.3.10 to L.3.3.12 that a hxed point of bmho. 1.2 
satishes each of the healthiness conditions BMHO, BMH1 and BMH2. 


Lemma L.3.3.10 (bmh 0 1 . 2 (B) = B) BMHO 


Lemma L.3.3.11 (bmh 0 .i. 2 (B) = B) BMH1 


Lemma L.3.3.12 (bmh 0 1 . 2 (B) = B) BMH2 


Moreover, we establish in Lemma L.3.3.13 that a relation that is BMHO, BMH1 


and BMH2-healthy is also a fixed point of bmh 0 , 1 . 2 - 


Lemma L.3.3.13 Provided B is BMHO — BNLH.2-healthy, bmh 0 .i. 2 (-B) = B. 


These lemmas conclude our discussion of the healthiness conditions of the new theory 
of binary multirelations. In summary, these relations can be characterised either by 
the predicates BMH0-BMH2 or as hxed points of bmh 0 12 - hi the following 
section we focus our attention on the subset of the theory that contains only the 
multirelations that are in addition BMH3-healthy. 


3.3.3 bmho,i,3,2 


Relations that are BMHO, BMH1, BMH2 and BMH3-healthy can be charac¬ 
terised as hxed points of the functional composition bmh 0 .i, 3 , 2 - The result of this 


composition is given by the following Lemma L.3.3.14 


Lemma IL.3.3.141 


bmho o bmhi o bmh 3 o bmh 2 (R) 


( 

(M) e B A (s,{l}) G B ) 



V 


s , ss 


/(«,{!}) \ 




A 


< 


\ (3 ss 0 • (s, ss 0 ) G B A ss 0 C ss A _L ^ ss 0 A _L ^ ss) / 

> 


The set construction considers a disjunction, where, either s is an aborting state, and 
hence it is related to the empty set and {_L}, and otherwise, if it is not aborting, it 
satishes the same property of upward-closure as required by bmh 0 . The particular 
order of this functional composition is justihed by the following Theorem T.3.3.2| 






















3.4. REFINEMENT 


91 


Theorem T.3.3.2 BMHO A BMH1 A BMH2 A BMH3 AA bmho.i,3,2(5) = B 


The proof of Theorem T.3.3.2 is split into two implications. First, we establish 


through Lemma L.3.3.15 that the conjunction of the predicative healthiness condi¬ 
tions BMHO to BMH3 implies that B is a fixed point of bmh 0 , 1 . 3 . 2 - 


Lemma L.3.3.15 BMHO A BMH1 A BMH2 A BMH3 =>■ bmh 0 1,3 2 ( 5 ) = B 


To prove the reserve implication, we first establish through Lemma L.3.3.16 that a 


fixed point of bmho.1.3,2 is also a fixed point of bmh 01 .2, so that Lemmas L.3.3.10 


to L.3.3.12 are directly applicable. 


Lemma L.3.3.16 bmho. 1,2 0 bmho,i,3.2(5) = bmho.i,3,2(5) 


Finally, Lemma L.3.3.17 establishes that every fixed point of bmho.1.3,2 satisfies the 
predicative healthiness condition BMH3. 


Lemma L.3.3.17 (bmho.i,3,2(5) = B) BMH3 


This concludes the proof that the subset of the theory that is in addition BMH3- 
healthy also has a counterpart characterisation via fixed points of bmho.i. 3 , 2 - This 
function characterises the subset that corresponds to the original theory of binary 
multirelations. The relationship with the original theory of binary multirelations is 


explored in Section 3.6 


3.4 Refinement 

The refinement order for the new binary multirelation model is defined exactly as 
in the original theory of binary multirelations [35]. 

Definition 75 (Refinement) Bi E BM± B 0 = Bi D B 0 

It is reverse subset inclusion, such that a program characterised by a multirelation 
B 0 refines another characterised by a multirelation Bi if, and only if, B 0 is a subset 
of B x . 

The extreme points of the theory as expected of a theory of designs, are the 
everywhere miraculous program and abort. Their definitions are presented below. 

Definition 76 (Miracle) T bm ± = 0 

As in the original theory, miracle is denoted by the absence of any relationship 
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between any input state and any set of final states, that is, the program cannot 
possibly be executed. 

Definition 77 (Abort) Lbm ± = State x P State± 

On the other hand, abort is characterised by the universal relation, such that every 
initial state is related to every possible set of final states. 


3.5 Operators 


In this section the most important operators of the theory are introduced. Namely, 
we define the operators of assignment, angelic and demonic choice, and sequential 
composition. These enable the discussion of interesting properties observed in this 
model of extended binary multirelations. 


As discussed in Chapter [lj the model that we propose here is isomorphic to 
the theory of angelic designs that we discuss in Chapter [4j In that chapter we 
establish that the operators discussed here are in correspondence with those in the 
theory of angelic designs, which we prove to be closed. Together with the respective 


isomorphism that we discuss in Section |4.3[ these results are sufficient to establish 
closure of the operators with respect to the healthiness condition BMHi. 


3.5.1 Assignment 

The first operator of interest is assignment. As already illustrated, in this new 
model, there is the possibility to define two distinct assignment operators. The first 
one behaves exactly as in the original theory of binary multirelations x :=bm e. 
This operator does not need to be redefined, since BM C BM±. The new operator 
that we define below, however, behaves rather differently, in that it may or may not 
terminate. 

Definition 78 x : =bm ± e = {s : State, ss : P State± \ s © (x t—>■ e) G ss} 

This assignment guarantees that for every initial state s, there is some set of final 
states available for angelic choice where x has the value of expression e. However, 
termination is not guaranteed. While the angel can choose the final value of x it 
cannot possibly guarantee termination in this case. 
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3.5.2 Angelic Choice 

The definition of angelic choice is exactly the same as in the original theory of binary 
multirelations. 


Definition 79 B 0 U BM± -Bi = B 0 C\ B\ 


For every set of final states available for demonic choice in B 0 and B ], only those 
that can be chosen both in B 0 and B\ are available. 

An interesting property of angelic choice that is observed in this model is illus¬ 


trated by the following Lemma L.3.5.1 It considers the angelic choice between two 
assignments of the same expression, yet only one is guaranteed to terminate. 


Lemma L.3.5.1 (x :=bm ± e) U BM± (x := B m e) = (x := BM e) 


This result can be interpreted as follows: given an assignment that is guaranteed to 
terminate, adding a corresponding angelic choice that is potentially non-terminating 
does not in fact introduce any new choices. 

In general, and as expected from the original model of binary multirelations, the 
angelic choice operator observes the following properties. As the refinement ordering 
in the new model is exactly the same as in the theory of binary multirelations, the 
angelic choice operator, being the least upper bound in both theories, has the same 
properties with respect to the extreme points of the lattice. 


Lemma L.3.5.2 T BM± U BM± B = T BMa 


The angelic choice between an everywhere miraculous program and any other pro¬ 
gram is still miraculous. 


Lemma L.3.5.3 _L 


-BM LI BM 


B = B 


On the other hand, the angelic choice between abort and any other program B is the 
same as B. That is, the angel will avoid choosing an aborting program if possible. 


3.5.3 Demonic Choice 

The next operator of interest is demonic choice. It is also defined exactly like in the 
original theory of binary multirelations. 

Definition 80 B 0 n B m ± B\ = B 0 U B\ 

For every initial state, a corresponding set of final states available for demonic choice 
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in either, or both, of Bq and B±, is included in the result. 

Similarly to the angelic choice operator, there is a general result regarding the 
demonic choice over the two assignment operators, terminating and not necessarily 


terminating. This is established by the following Lemma L.3.5.4 


Lemma L.3.5.4 (x := BM e) n BM± (x := BM± e) = (x := BM± e) 


If there is an assignment for which termination is not guaranteed, then the demonic 
choice over this assignment and a corresponding one that is guaranteed to terminate 
is the same as the assignment that does not require termination. In other words, if 
it is possible for the demon to choose between two similar sets of final states, one 
that is possibly non-terminating and one that terminates, then the one for which 
termination is not guaranteed dominates the choice. 

The following two laws show how the demonic choice operator behaves with 
respect to the extreme points of the lattice. 


Lemma L.3.5.5 


-L Mi 0 BM± 


B = 


-BM± 


Lemma L. 3.5. 6 T B m , n B m , B 


B 


As expected, the demonic choice between abort and some other program is abort. 
In the case of a miracle, the demon will avoid choosing it if possible. 

Since the angelic and demonic choice operators are defined as set intersection 
and union, respectively, they also distribute through each other. This is exactly the 
same property as in the original theory of binary multirelations. 


3.5.4 Sequential Composition 

The definition of sequential composition in this new model is not immediately ob¬ 
vious. We note, however, that one of the reasons for developing this theory is the 
fact that it allows a more intuitive account of the definition of sequential composi¬ 
tion and, as such, an easier route to discover the definition in the theory of angelic 
designs. To illustrate the issue, we consider the following example from the theory 
of designs, where a non-H3-design is sequentially composed with 

Example 18 

(x' — 1 h true ) ; 

— (x 1 — 1 h true ) ; (true b x' = x) 


{Definition of IT 75 } 
{Sequential composition for designs} 
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= (-1 (V 7 ^ 1 ; true ) A -< ( true ; false ) b true ; a ; 7 = x) {Sequential composition} 

= (-i (3 xq • x 0 7 ^ 1 A true ) A -> (3 x 0 • true A false ) b 3 x 0 • true A x' = x 0 ) 

{Predicate calculus and one-point rule} 

= (-i true A -i false b true ) {Predicate calculus and property of designs} 

= true 


The result is true, the bottom of designs [39], whose behaviour is arbitrary. This 
arises because, since the first design can always establish a final value for x, namely 1 , 
where termination is then not guaranteed, the Skip design IT© that follows can never 
guarantee termination. This result can be generalised for a sequential composition 
involving any non-H3-design. 

This provides the motivation for the definition of sequential composition in the 
new binary multirelational model. 


Definition 81 

3 ss • (so, ss ) G Bq A 

(1 G ss V ss C {s x : State | (si, ss 0 ) G B\}) 

For sets of final states where termination is guaranteed, that is, _L is not in the set 
of intermediate states ss, this definition matches that of the original theory. If _L 
is in ss, and hence termination is not guaranteed, then the result of the sequential 
composition is arbitrary as it can include any set of final states. If we assume that 
B 0 is BMHO-healthy, then the definition of sequential composition can be split into 
the set union of two sets as shown in Theorem IT. 3.5. 11 


B 


0 ,’bM ± B\ — < s 0 , ss 0 


Theorem |T.3.5.1| Provided B 0 is BMHO -healthy, 

( {so, SS 0 I (s 0 , States) G Bq] \ 


Bo >bm ± B\ — 


U 


\ {so, ssq | (sq, {si | (si, ssq) G -Bi}) G .Bo} / 


The first set considers the case when Bq leads to sets of final states where termination 
is not required and, therefore, to the whole of State±, due to upward closure. The 
second set considers the case where termination is required and matches the result 
of Lemma IL.2.3.41 


For a similar example to Example 18 expressed in the new theory, we consider 


the following example, where a non-terminating assignment is followed by the as¬ 
signment that requires termination, but does not change the value of x. 
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Example 19 


(x := 


{Definition of ] BM± (Theorem T.3.5.1)} 


'■—BM± e) ,'bM ± ( x '- — BM X) 

( {s 0 : State, ss 0 : P State±_ | (so, State ±) G (x :=bm ± e)} \ 

U 

{ So : State, sso : P State ± 

| (s 0 , {si : State \ (si, ss 0 ) G (x := B m z)}) G (x :=bm ± e) J J 

{Definition of := BM and : = 


: BM ± } 


/ J 

So : State, ssq : P State j_ 

1 \ 

1 


(so, State _l) G {s : State, ss : P State ± s © (x H > e) G ss} j 

u 





\ 

So : State, sso : P State ± 


< 


(s 0 , {si : State \ (si, ss 0 ) e (x \=bm a;)}) 

> 



G 


V 

< 

{s : State, ss : P State s © (x i —> e) G ss} 

/ 


/ {s 0 : State, ss 0 : P States \ s 0 © (x t—)■ e) G State j_} 
U 

So : State, sso : P State _l 
Sq © (x i —y e) G {si : State \ (si, ssq) G (x := 


{Property of sets} 

\ 


V 


/ {s Q : State, ss 0 : P State± \ true} 
U 


BM £)} J / 

{Property of sets} 

\ 


V 


So : State, ssq : P State± 

s 0 © (x i->- e) G {si : State \ (si, ss 0 ) G (x :—bm %)} J J 

{Property of sets and definition of L B m ± } 


— ->-BM i 


The result of this sequential composition is an aborting program. Like in the theory 
of designs, if it is possible for the first program not to terminate, then the sequential 
composition cannot provide any guarantees either. The properties observed by the 
sequential composition operator are explored in what follows. 


Properties 

The first property of interest considers the sequential composition of T B m ± followed 
by some program B. The result is also a miraculous program as shown in the 
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following Lemma L.3.5.7 


Lemma L.3.5.7 T 


BM ± ,BM< 


B = T 


BM i 


The following law expresses that the sequential composition of abort with another 
program is also abort. 


Lemma L.3.5.8 


-BM ± )BM i 


B = 


-BM i 


In the following paragraphs we explore some examples with respect to the extreme 
points of the lattice. 

The following example describes the general behaviour of some program B that 
is BMHO-healthy sequentially composed with a miraculous program. 


Example 20 


B j bm± T bm ± 

/ {s 0 : State, ss 0 : P States 
= U 

\ {so : State, sso : P State± 

/ {so : State, ssq : P State± 
= U 

\ {s 0 : State, ss 0 : P State± 


{Definition of T bm ± and ', B m ± (Theorem T.3.5.1)} 
(sq, State±) G B} \ 


(s 0 , {si : State \ (si, ss 0 ) G 0}) G B} ) 

{Property of sets} 


(so, State _l) G B} 
(s o ,0) G B} J 


If B may not terminate for some set of initial states, and it is BMHO-healthy, then 
the result of the sequential composition is also abort, for those initial states. If B 
aborts for some particular initial state s$, then that state is related to the empty 
set in B and the result of the sequential composition is also abort. Otherwise, the 
result is miraculous as the initial state is not in the domain of either relation in the 
union above. 

The following example describes the behaviour of a program B sequentially com¬ 
posed with abort. 


Example 21 

B >bm ± -Lbmi 


{Definition of -L B m± and ] B m ± 


(Theorem T.3.5.1)} 
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^ {s 0 : State, ss 0 : P State | (s 0 , State ±) G 5} \ 

U 

{ So : State, ssq : P State _l 

| (s 0 , {si : State | (si, ss 0 ) G (State x P State j_)}) G 5 J J 


( {s Q : State, ss 0 : P State± \ (s 0 , State ±) €5} ^ 

= U 

\ {so : State, sso : P State ± | (so, {si : State \ true}) G 5} / 
= {s Q : State, ss 0 : P State± | (s 0 , State± ) G B V (s 0 , State) G 5} 


{Property of sets} 
{Property of sets} 


Because 5 is upward closed, if it definitely terminates then State is a superset of all 
sets of final states and is in B. If B may or may not terminate for some particular 
set of final states, then State± is also in B due to the upward closure guaranteed 
by BMHO. In either case, the sequential composition behaves as abort. If B is 
miraculous, then so is the sequential composition. 


3.6 Relationship with Binary Multirelations 


Having presented the most important operators of the theory, in this section we 
focus our attention on the relationship between the new model and the original 
theory of binary multirelations. The first step consists in the definition of a pair 
of linking functions, bmb2bm, which maps relations from the new model into the 
original theory of binary multirelations, and bm2bm, a mapping in the opposite 
direction. 

As previously discussed in Chapter [Tj, the relationship is illustrated in Figures [LT] 


and |1.3| where each theory is labelled according to its healthiness conditions. In this 
case, we have a bijection between the subset of BMH^ characterised by the relations 
that are BMH3-healthy and the original theory of binary multirelations character¬ 
ised by BMH. In this section onr discussion is focused on this isomorphism, while 
in Chapter [4] we discuss the isomorphism with the theory of angelic designs. 


3.6.1 From BM ]_ to BM ( bmb2bm ) 

The first function of interest is bmb2bm that maps from binary multirelations in the 
new model, of type BMj_, to those in the original model of type BM. 
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Definition 82 


bmb2bm : BM j_ —> BM 

bmb2bm(B) = {s : State , ss : P State± | (s, ss) G B A 1 ^ ss} 


Its definition considers every pair (s, ss) in B such that _!_ is not in ss. We consider 
the following example, where bmb2bm is applied to the potentially non-terminating 
assignment of e to the program variable x. 


Example 22 bmb2bm(x '.=bm ± e) = (x :—bm e ) 


The result corresponds to assignment in the original theory. 

In order to establish that bmb2bm yields a multirelation that is BMH-healthy 
we use an alternative way to characterise the set of healthy binary multirelations as 
fixed points of the function bmh up . 


Definition 83 bmh up (5) = {s, ss \ 3 ss 0 : P State • ( s, ss 0 ) G B A ss 0 C ss} 


This definition is justified by Lemma L.3.6.1 


Lemma L.3.6.1 BMH bmh up (5) = B 


Finally, Theorem |T. 3.6.1] establishes that the application of bmb2bm to a multirela¬ 
tion that is BMH0-BMH3-healthy yields a BMH-healthy relation. 


Theorem IT.3.6.11 


bmh up o bmb2bm(hmh 0 13 2 {B)) = bmb2bm(hmh 0 ! 3 2 {B)) 

In summary, bmb2bm yields relations that are in the original theory. 


3.6.2 From BM to BMW ( bm2bmb ) 

The mapping in the opposite direction, from BM to BM^_ is achieved by the function 
bmb2bm, whose definition is presented below. 

Definition 84 

bm2bmb : BM —> BM j_ 

bm2bmb(B) = {s : State , ss : P State± \ ((s, ss) G B A 1 ^ ss) V (s, 0) G B} 
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It considers every pair (s, ss ) in a relation B, where _L is not in the set of final states 
ss , or if B is aborting for a particular state s, that is, s is related to the empty 
set, then it is related to every possible final state, including _L, so that we have 
nontermination for s. 


Similarly to the treatment of bm2bmb 1 Theorem T.3.6.2 establishes that the 
application of bmb2bm to an upward-closed relation, that is BMH-healthy, yields a 
relation that is BMH0-BMH3-healthy. 


Theorem IT. 3. 6 . 21 


bmho.1,3,2 ° bm 2 bmb(bmh up (B)) = bm 2 bmb(bmh up (B )) 

This result completes the proof for healthiness of both linking functions. In the 
following section we discuss the isomorphism. 


3.6.3 Isomorphism ( bm2bmb and bmb2bm ) 


Based on the results of the previous Sections 3.6.1 and 3.6.2 we can establish that 


bm2bmb and bmb2bm form a bijection for healthy relations as ascertained by the 


following Theorems T.3.6.3 and T.3.6.4 


Theorem T.3. 6 .3 Provided B is BMH 0 .i, 2 , 3 -healthy, bm2bmb o bmb2bm(B) = B, 


Theorem T.3.6.4 Provided B is BMH -healthy, bmb2bm o bm2bmb(B) = B, 


These results show that the subset of the theory that is BMH0-BMH3-healthy is 
isomorphic to the original theory of binary multirelations [35]. This confirms that 
while our model is more expressive, it is still possible to express every program that 
could be specified using the original model. 


3.7 Final Considerations 

In this chapter we have introduced a new model of binary multirelations that allows 
the specification of sets of final states for which termination is not required. This 
model extends the theory of Rewiztky [35j by considering a special state _L that 
denotes the possibility for non-termination. The healthiness conditions have been 
introduced as predicates and subsequently characterised as fixed points of idem- 
potent functions. This dual characterisation is useful for reasoning about the link 
between this model and the theory of [155] . 
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The operators of the theory have been introduced and their properties studied. 
Notable differences with respect to the original theory include the potentially non¬ 
terminating assignment and sequential composition. The definition of the latter 
is perhaps the most unexpected, as the intuition comes from the IUTPI theory of 
designs. The full justification for some of the operators and the refinement order 
is revisited again in Chapter [4] where we introduce the isomorphic model of angelic 
designs. 

Finally, we have studied the relationship between this new model of binary mul¬ 
tirelations and the theory of [ 155 ] . We have found that the subset of multirelations 
that are, in addition, BMH3-healthy, is isomorphic to the original theory. While 
this model is more expressive, we can still reason about the existing model of binary 
multirelations. 
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Chapter 4 


Angelic Designs 


In this chapter we introduce a new IIJTPI theory of designs with both angelic and 
demonic nondeterminism. As already indicated the starting points for this predicat¬ 
ive model are the theory of Cavalcanti et al. [38] and the extended model of binary 
multirelations presented earlier in Chapter [3] For this reason, Section 44 begins 
by discussing the choice of alphabet and the relationship with the alphabet of 


In Section 4.2 the healthiness conditions of the theory are presented. Section 4.3 


discusses the isomorphism with the model of extended binary multirelations. In Sec¬ 


tion 4A we explore the notion of refinement and prove that it corresponds exactly 
to that in the model of Chapter [3} In Section 4.5 the main operators of the theory 
are presented, including angelic and demonic choice. In Section |4.6| we explore the 


relationship with the original theory of designs. In Section 4/f we show that the 
subset of H3-healthy designs is isomorphic to the theory of 138j . Finally, Section 4.8 
concludes the chapter with a summary of the main results. 


4.1 Alphabet 

Our aim is to build a theory of designs. Therefore, the alphabet of our theory 
includes the observational variables ok and ok', like every theory of designs and 
two additional variables s and ac !, as shown in the following definition, where the 
notation for a type of State is enriched to carry a parameterised set of variables 
Sa that specifies the names of all the record components considered. The approach 
followed in our discussion is that a record can be represented as a set of ordered pairs 
where the first component is the variable name, from a set of all possible variables, 
and the second component corresponds to the associated value or expression. 


103 


















104 


CHAPTER 4. ANGELIC DESIGNS 


Definition 85 (Alphabet) 

s : State(Sa) 
ac' : P State(Sa) 
ok, ok' : {true, false} 

State(Sa) = {x, e \ x G Sa} 

The variable s encapsulates the initial values of program variables as record com¬ 
ponents of s, just like in the extended model of binary multirelations discussed 
in Chapter [3] The set of final states ac' is similar to that of [38] with the notable 
difference that we do not dash the variable names in the record components, instead 
we only consider these as undashed. This deliberate choice bears no consequences, 
other than simplifying reasoning and proofs. The set of program variables Sa re¬ 
corded in both s and final states of ac' is the same. 

The set of angelic choices ac' of this new model and that of [38] can be related 
by dashing or undashing the variables of the components of all states in either set. 
This relationship is formalized by the following pair of functions. 

Definition 86 


undashset(ss) = {z : State(Sa) \ z G ss • undash(z)} 
dashset(ss) = {z : State(Sa) \ z G ss • dash(z)} 


The function undashset maps a set ss of states whose record components are dashed 
variables into a set where every state has its components undashed. This is achieved 
by considering every state z in the set ss and applying undash, a function which 
undashes the names of every record component of a state. Similarly, dashset maps 
in the opposite direction by dashing every state in ss. A state z whose components 
range over the set of variables Sa can be dashed and undashed via the functions, 
dash and undash. 

The function dash(z) considers every record component z.x of z, and dashes the 
name of x into x' . Similarly, the function undash performs the inverse renaming, 
by undashing every x' to x. The functions dash and undash are bijective. They 
are the exact inverse of each other. Useful properties include, for instance, that 
undash(z).x = z.x' and dash(z).x' = z.x. These and other properties of dash and 
undash are included for completeness in Appendix |D. 2 


These functions are important in the development of links between the theor¬ 
ies, in particular with the theory of [38j, which we explore in Section 4.7 In the 
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following Section 4.2 we introduce the healthiness conditions. 


4.2 Healthiness Conditions 


Since the theory we propose is a theory of designs, at the very least predicates need 
to satisfy HI and H2. More important for our discussion is the fact that none of 
the proofs in [39] regarding HI and H2 require homogeneity, so it is possible to 
consider a non-homogeneous theory of designs. 

In addition, since we have a theory with ok and ok/, the record of termination 
embedded in the use of ad must be related to that in ok and ok'. This is the concern 


of the first healthiness condition AO, which we discuss in Section 4.2.1 Similarly 
to the theory of [33], there is a requirement for ad to be upward-closed. This is the 


concern of the second healthiness condition Al, which we discuss in Section 4.2.2 


Finally, the composition of both healthiness conditions, named as A, is explored 
in Section 14.2.31 


4.2.1 AO 

The notion of termination considered in this theory is related to that of [33] • In that 
model, termination is always guaranteed as long as ad is not empty. In the theory 
of designs termination is signalled by ok'. In order to reconcile these two notions we 
introduce the following healthiness condition AO. 


Definition 87 A0(P) = P A ((ok A -i pf) =>■ (ok' =>■ ad ^ 0)) 


It states that when a design is started and its precondition —> pf is satisfied, if it 
terminates, with ok' being true, then it must be the case that ad is not empty. 
In other words, there must be at least one state in ad available for angelic choice. 
If the precondition —> P* is not satisfied, then the design aborts and there are no 
guarantees on the outcome, and so ad may or may not be empty. 

The function AO is idempotent and monotonic as established by the follow¬ 
ing Theorems |T. 4. 2.1] and T.4.2.2 Proof of these and other results to follow can be 
found in Appendix [C] 


Theorem T.4.2.1 AO o A0(P) = A0(P) 


Theorem T.4.2.2 (P C Q) => (A0(P) □ A0(Q)) 


More importantly, the function AO is closed with respect to designs. 
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Theorem T.4.2.3 If P is a design so is A0(P). 


A0(P) = {^P f \~ P t A ac' ± 0) 


Therefore a design in this theory can be stated in the usual manner, with a pre and 
a postcondition which in this case requires ad not to be empty. In other words, once 
the precondition of an angelic design is satisfied, it terminates successfully with at 
least one final state available for angelic choice. 

Finally, AO is closed with respect to conjunction and disjunction as stated in 


the following Theorems T.4.2.4 and T.4.2.5 


Theorem T.4.2.4 Provided P and Q are AO-healthy, 


AO(P A Q) = P A Q 


Theorem T.4.2.5 Provided P and Q are AO -healthy designs, 


AO(P V <5) = P V Q 


The function AO distributes through conjunction, and provided that the predicate 
is a design, that is HI and H2-healthy, it also distributes through disjunction. This 
extra proviso is not a problem since this is a theory of designs. These properties 
conclude our discussion regarding AO. 


4.2.2 A1 

In addition to requiring a consistent treatment of termination, our theory of designs 
also requires that both the pre and postcondition observe the upward closure of the 
set of final states ac'. In order to enforce this property in the new theory we extend 
the original healthiness condition PBMH of |2S3 to accommodate the additional 
variables ok and ok' as follows. 


Definition 88 PBMH(P) = P ; ac C ac' A ok' = ok 


In addition to requiring that the value of ad must be upward-closed, the value of ok' 
is left unchanged. This is the definition of PBMH adopted throughout our work. 


Its expanded version given by Lemma L.4.2.1 is more often used directly in proofs. 


Lemma L.4.2.1 PBMH(P) = 3 aco • P[aco/ac'] A aco C ad 


When considering a design, with precondition P and postcondition Q, the applic- 
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ation of PBMH yields a design where it is itself applied to the postcondition and 


the negation of the precondition, as shown in the following Lemma L.4.2.2 


Lemma L.4.2.2 PBMH(P b Q) = (-. PBMH(-i P) b PBMHfQ)) 


The requirement on the postcondition is exactly like in the original theory of 
While the requirement on the negation of the precondition follows directly from 
the definition of designs, where for non-H3 designs it is actually the negation of 
the precondition that determines what is enforced in the case of non-termination, 
we show in Example [5] such a scenario. 


In Section 2.4 


The application of PBMH to a design is precisely the motivation behind the 
definition of the following healthiness condition Al. 


Definition 89 A1(P b Q) = (-. PBMH(-t P) b PBMH(Q)) 


Therefore Al and PBMH are synonyms and can be used interchangeably. 

The function Al is idempotent and monotonic as established by the follow¬ 


ing Theorems T.4.2.6 and T.4.2.7 


Theorem T.4.2.6 Al o A1(P 0 P -Pi) = A1(P 0 P -Pi 


Theorem T.4.2.7 (P C Q) =► A1(P) C A1(Q) 


Furthermore it is closed with respect to both conjunction and disjunction, and dis¬ 
tributes through disjunction. In the following section we discuss the functional 
composition of AO and Al. 


4.2.3 A 

The theory of designs we propose is characterised by the functional composition of 
AO, Al, and HI and H2 of the original theory of designs. The order in which these 
functions are composed is important since they to not always necessarily commute. 
In order to explain the reason behind this we consider the following counter-example. 

Counter-example 1 


AO o Al (true b ac' = 0) 

/ -i (false ; ac C ac') \ 

= AO b 

\ ac' = 0 ; ac C ac' ) 


{Definition of Al} 


{Definition of sequential composition} 
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( -i (false A 3 ac 0 • ac 0 C ad) \ 


= AO 


b 


\ 3 aco • aco = 0 A aco C ac' / 
= AO (true b true) 

= AO (true b ac' ^ 0) 


{One-point rule and predicate calculus} 


{Definition of AO (Theorem T.4.2.3)} 


A1 o AO (true b ad = 0) 

= A1 (true b ad = 0 A ad ^ 0) 

= A1 (true b false) 

= (-i (false ; ac C ac') b false ; ac C ac') 
= (true b false) 


{Definition of AO (Theorem T.4.2.3)} 
{Predicate calculus} 
{Definition of Al} 
{Definition of sequential composition} 


In this example we apply the healthiness conditions in different orders to an un¬ 
healthy design (true b ad = 0) whose postcondition requires non-termination: 
ad = 0. In the first case Al changes the postcondition into true , followed by the 
application of AO. While in the second case, AO is applied in the first place, making 
the postcondition false, a predicate that satisfies PBMH. The resulting predicate 
conforms to the definition of Tp. Thus the functions do not always commute. 

If instead we consider healthy predicates, then we can ensure that AO and Al 
commute. The following Theorem |T.4.2.8 establishes this result for predicates that 
are Al-healthy. In fact the only requirement is for the postcondition, P* to satisfy 

PBMH. 


Theorem T.4.2.8 Provided P 1 satisfies PBMH, AO o A1(P) = Al o A0(P) 


This indicates that it is appropriate to introduce the definition of A as the functional 
composition of Al followed by AO, since AO preserves Al-hcalthiness. 

Definition 90 A (P) = AO o A1(P) 


Theorem T.4.2.8 establishes that once the postcondition of P satisfies PBMH then 
the functions commute. Therefore by applying first Al first we guarantee that this 
is always the case. 

Since the function A is defined by the functional composition of Al and AO, 
and these functions are monotonic, so is A. It is also idempotent as established by 


the following Theorem T.4.2.9 
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Theorem T.4.2.9 A o A (P) = A(P) 


More importantly, it commutes with HI and H2 of the theory of designs as estab¬ 


lished by the following Theorem T.4.2.10 


Theorem T.4.2.10 HI o H2 o A (P) = A o HI o H2(P) 


The healthiness condition of our theory is HI o H2 o A. Since these commute, 
and they are all idempotents so is their functional composition [39|. Furthermore, 
monotonicity also follows from the monotonicity of each function. 

This concludes the main discussion on the healthiness conditions of the theory 
of angelic designs. Before exploring the relationship between this theory and the 
model of extended binary multirelations in Section |4~3| we first discuss how to define 


the subset of non-angclic designs of this theory in the following Section 4.2.4 


4.2.4 A2 

In general, in our theory, a relation that does not exhibit angelic nondeterminism 
always provides at most one angelic choice. In other words, for every initial state, 
there must be at most one final state available in the distributed intersection over 
all possible values of ac!. That is, without directly considering the upward-closure 
of ac!, there must be at most one state in ac'. This leads to the following healthiness 
condition A2. 


Definition 91 A2(P) = PBMH(F ; A {s} = ac') 

This definition is given in terms of the operator ] A , which we previously discussed 


in Section 2.4.4 and whose formal definition in the context of the theory of angelic 


designs is discussed in Section 4.5 The intuition behind this definition is that A2 


requires the set of final states in P to be either empty or a singleton, otherwise it 
becomes false. Since this purposedly breaks the upward-closure, PBMH must be 
applied as a result. If we consider the definition of PBMH and the definition 


of A2 can be expanded as established by the following Theorem T.4.2.11 


Theorem T.4.2.11 A2 (P) = P[0/oc'] V (3 y • P[{y}/ac'] Ay G ac 1 ) 


It confirms our intuition that ac' must be either empty or a singleton. 

As expected of a healthiness condition, A2 is idempotent and monotonic as 


confirmed by Theorems T.4.2.12 and T.4.2.13 


Theorem T.4.2.12 A2 o A2 (P) = A2 (P) 
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Theorem T.4.2.13 P C Q =► A2(P) C A2(Q) 


The function A2 distributes through disjunction as established by Theorem T.4.2.14 


Theorem T.4.2.14 A2(P V Q) = A2(P) V A2(Q) 


Consequently it is also closed under disjunction. However, and as expected, A2 is 
not necessarily closed under conjunction. As we discuss later in Section 4. 5.4| angelic 
choice is defined through conjunction, so it is no surprise that the conjunction of two 
A2-healthy predicates can introduce angelic nondeterminism. Finally, when applied 


to a design, we obtain the following result of Lemma L.4.2.3 


Lemma L.4.2.3 A2(P h Q) = (-. A2(^ P) h A2(Q)) 


That is, A2 can be directly applied to both the negation of the precondition and 
the postcondition of a design. 

This concludes the discussion of the healthiness conditions of the theory, and its 
subset of non-angelic designs. As highlighted in Figure |Ll| the function A2 plays a 
fundamental role in identifying the subset of theories with no angelic nondetermin¬ 
ism, particularly when links are established with other theories. 


4.3 Relationship with Extended 
Binary Multirelations 


As previously discussed, the model of extended binary multirelations developed 
in Chapter [3] is a complementary model to that of angelic designs. In this section 
we show how these two models can be related and prove that they are isomorphic. 

In order to do so, we define a pair of linking functions, d2bmb that maps from an¬ 
gelic designs to binary multirelations, and bmb2d mapping in the opposite direction. 
The latter is defined in Section 14.3.21 while the former is defined in Section 14.3. ll Fi¬ 
nally, in Section [4.3 .3 the isomorphism is established by proving that these functions 
form a bijection. 


4.3.1 From Designs to Binary Multirelations ( d2bmb ) 

The first function of interest is d2bmb. It maps from A-hcalthy designs into relations 
of type BM± and is defined as follows, where, as before, s is of type State and ss of 
type State±. 

















4.3. RELATIONSHIP WITH EXTENDED BINARY MULTIRELATIONS 111 


Definition 92 (d2bmb) 

cL2bmb : A —» Mi 


d2bmb(P) A < 

s, ss 

(-■ Pf =>• P')[true/ok][ss/ac'] A 1 ^ ss) 1 
V 



(Pf[true/ok\[(ss\{±.})/ac'] A 1 G ss) J 


For a given design P, whose precondition is -> P*, and postcondition is P l , the set 
construction of d2bmb(P) is split into two disjuncts. 

The first disjunct considers the case where P is guaranteed to terminate, with 
ok and ok' both substituted with true in the design P to obtain the implication 
-i P-f P l . The resulting set of final states ss, for which termination is required 
(_L ^ ss) is obtained by substituting ss for ac' in P. 

In the second disjunct we consider the case where ok is also true , but ok' is false. 
This corresponds to the situation where P does not terminate. In this case, the set 
of final states is obtained by substituting ss\ {_!_} for ac' and requiring _L to be in 
the set of final states ss. 


As a consequence of P satisfying H2, we ensure that if there is some set of final 
states characterised by the second disjunct, and therefore, containing _L, then there 
is also an equivalent set of final states without _L that is characterised by the first 
disjunct. 


In the following Theorem T.4.3.1 we establish that the application of d2bmb to 
A-healthy designs yields relations that are BMH0-BMH2-healthy. 


Theorem T.4.3.1 


Provided P is a design, 


bmh 0 ,i ,2 o d2bmb(A(P)) = d2bmb(A(P)) 


That is, the application of d2bmb to an A-healthy design is a fixed point of bmh 0 ,i, 2 - 


We consider the following Example 23 where d2bmb is applied to the program 
that either assigns the value 1 to the sole program variable x and terminates, or 
assigns the value 2 to x, in which the case termination is not required. 


Example 23 


d2bmb((x i —> 2) ^ ac' b (x H » 1) G ac') {Definition of d2bmb (Lemma L.C.2.8)} 
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— < s, ss 


((x 4 2) ^ ac' 4- (x i-4 1) G ac')[ss/ac'] A _L ^ ss) 

V 

(((a: i-4 2) G ac')[ss \ {_L}/ ac'] A 1 G ss) y 

{Predicate calculus and substitution} 



((r 4 2) G ss A 1 ^ ss) 


V 

< 5, SS 

((r 4 1) G ss A 1 ^ ss) 


V 

< 

((x 1-4 2) G (ss \ {_L}) A 

( 

((r 4 2) G ss A 1 ^ ss) 


V 

< 5, SS 

((x 4 1) G ss A 1 ^ ss) 


V 

< 

((x 4 2) G ss A (x 4 2) 


((r 4 2) G ss A 1 ^ ss) 


V 

< 5, SS 

((x 4 1) G ss A 1 ^ ss) 


V 

< 

((i 4 2) G ss A 1 G ss) 

{ s , ss 1 ( 

x 4 2) G ss V ((x 4 1) G 


.I G ss) 


{Property of sets} 


.I G ss) 


{Property of sets} 


— (x ' — BM± 2) Id BM ± (x '- — BM 1) 


{Predicate calculus} 


> A _L ^ ss)} 

{Definition of I ~\bm ± and :=bm ± and :=bm} 


As expected, the function d2bmb yields a program with the same behaviour spe¬ 
cified using the binary multirelational model, ft is the demonic choice over two 
assignments, one requires termination while the other does not. 


4.3.2 From Binary Multirelations to Designs ( bmb2d ) 

The second linking function of interest is bmb2d 1 which maps from relations of type 
BM± to A-healthy predicates. Its definition is presented below. 

Definition 93 

bmb2d : BM j_ —> A 

bmb2d(B ) A a c U {T}) ^ B h (s, ac') G B ) 
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It is defined as a design, such that for a particular initial state s, the precondition 
requires (s, ac' U { _L}) not to be in B, while the postcondition establishes that 
(s, ac') is in B. This definition can be expanded into a more intuitive representation 


according to the following Lemma L.4.3.1 


Lemma 



bmb2d(B ) = ok 


f ((s, ac') G B A 1 ^ ac’ A ok') ^ 
V 

\ (s, ac' U {-L}) G B ) 


The behaviour of bmb2d is split into two disjuncts. The first one considers the case 
where B requires termination, and hence T is not part of the set of final states of 
the pair in B. While the second disjunct considers sets of final states that do not 
require termination, in which case ok' can be either true or false. 


Theorem T.4.3.2 establishes that bmb2d(B) yields A-healthy designs provided 


that B is BMH0-BMH2-hcalthy. 


Theorem T.4.3.2 Provided B satisfies bmh 0 ,i, 2 , A o bmb2d(B) = bmb2d(B). 


This result confirms that bmb2d is closed with respect to A when applied to relations 
that are BMH0-BMH2-healthy. This concludes our discussion of bmb2d. In the 


following Section 4.3.3 we focus our attention on the isomorphism. 


4.3.3 Isomorphism: d2bmb and bmb2d 

In this section we show that d2bmb and bmb2d form a bijection. The following The¬ 
orem IT.4.3.31 establishes that d2bmb is the inverse function of bmb2d for relations 
that are BMH0-BMH2-healthy. 


Theorem T.4.3.3 


Provided B is BMH0-BMH2 -healthy, 


d2bmb o bmb2d(B) = B 


Theorem T.4.3.4[ on the other hand, establishes that bmb2d is the inverse function 
of d2bmb for designs that are A-healthy. 


Theorem T.4.3.4 Provided P is an A-healthy design, 


bmb2d o d2bmb(P) = P 


Together these results establish that the models are isomorphic. This result is of 
fundamental importance since it allows the same programs to be characterised using 
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two different approaches. The binary multirelational model provides a set-theoretic 
approach, while the predicative theory proposed can be easily linked with other lUTPl 
theories of interest, namely the theory of reactive processes. 

Furthermore, this dual approach enables us to justify the definition of certain 
aspects of our theory. This includes the healthiness conditions and the definition of 
certain operators such as sequential composition. The most intuitive and appropri¬ 
ate model can be used in each case. The results obtained in either model can then 
be related using the linking functions. 


4.4 Refinement 


The healthiness condition A can be viewed as a function from the theory of designs 
into our theory. The theory of designs is a complete lattice [39]. Since A is monotonic 
and idempotent, its range is also a complete lattice [39]. Therefore we can assert 
that the theory we propose is also a complete lattice under the universal reverse 
implication order. 

In the following Section |4.4.1 we revisit the least and greatest elements of the of 


designs lattice and explore their properties within our theory. Next in Section 4.4.2 
we show that the refinement order of our theory corresponds exactly to subset in¬ 
clusion in the extended theory of binary multirelations of Chapter [3] 


4.4.1 Extreme Points 


Since we have a theory of designs, the extreme points of the lattice are exactly 
the same as those of any theory of designs. The bottom is defined by true (_l_x>), 
whose behaviour is unpredictable and may include non-termination. While the top 
is the everywhere miraculous program given by -> ok (Tx>). (In the theory of angelic 
nondeterminism of [SB] the top is defined by false and the bottom by true.) 

The bottom of the lattice true is an angelic design as established by the follow¬ 


ing Theorem T.4.4.1 


Theorem T.4.4.1 A(_l_£>) = T© 


The consequence of true being the bottom of the lattice is that ad may be empty. 
This is as expected, since a program for which there is no choice available to the 
angel corresponds to the possibility of non-termination. 

The definition for the top of the lattice is a direct consequence of having the 
additional variables ok and ok'. It is also an angelic design as established by the 
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following Theorem T.4.4.2 


Theorem T.4.4.2 A(Tx>) = T 


v 


Thus, such a program may never be started and its characterisation as a pre and 
postcondition pair is just like in the original theory of designs. 


This concludes our introduction to the extreme points of the theory. 


following Section 4.4.2 we establish the relationship between the refinement 
this theory and that of the binary multirelational model. 


In the 
order of 


4.4.2 Relationship with Extended Binary Multirelations 

The model in Chapter [3] is meant to be as similar as possible to the original model of 


binary multirelations. In Section 3.4 the refinement order E BM± is defined as subset 


inclusion, like in the original theory. The following Theorem T.4.4.3 establishes that 


in fact the refinement order E BM± corresponds to the refinement order of designs 
Qv- 


Theorem T.4.4.3 Provided B 0 and B\ are BMH0-BMH2-/ieal%, 


bmb2d(B 0 ) E v bmb2d(Bi) B 0 E BM± B 1 


It is reassuring to find that the refinement order in our theory of angelic designs cor¬ 
responds to subset ordering in the binary multirelational model. This is particularly 
important as it confirms the intuitive definition of the theory of extended binary 
multirelations. 


4.5 Operators 


In this section we define the main operators of the theory of angelic designs. This 


includes the definition of assignment in the following Section 4.5.1, sequential com¬ 


position in Section 4.5.2, demonic choice in Section 4.5.4 and finally angelic choice 


in Section |4.5.3| For these operators we show how they relate to their counterpart 
in the model of extended binary multirelations. In addition we also prove that they 
are all closed under A. 
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4.5.1 Assignment 

The first operator we consider is assignment. The definition, presented below, is 
similar to that of [HR] , 

Definition 94 (Assignment) (x '—vac e) = (true h s ® (i 4 e) 6 ac') 

It is defined by a design whose precondition is true, and whose postcondition estab¬ 
lishes that every set of final states ac' has a state where the component x is assigned 
the value of the expression e. Every such state is the result of overriding the value 
of x in the initial state s , while leaving every other program variable unchanged. 


4.5.2 Sequential Composition 

A challenging aspect of the theory of angelic designs is that it uses non-homogeneous 
relations. Consequently sequential composition cannot be simply defined as rela¬ 
tional composition like in other IUTPI theories. The definition we propose here is 
layered upon the sequential composition operator ; A originally introduced in [[3%] . 

The definition of sequential composition for angelic designs is given by consider¬ 
ing the auxiliary variables ok and ok' separately, as follows. 


Definition 95 (?£> ac -sequence) P ; Vac Q = 3 oho • P[oko/ok'] j A Q[oko/ok] 


This definition resembles relational composition with the notable difference that 
instead of conjunction we use the operator j A that handles the non-homogeneous 
alphabet of the relations. In Section 2.4.4 we previously discussed its definition as 
found in [3H3- Since in our theory we have a different alphabet, we redefine the 
operator \ A in terms of the input state s as follows. 

Definition 96 (^-sequence) P ; A Q = P[{s : State \ Q}/ac'} 


This is the definition adopted throughout this thesis. Just like before, this sequential 
composition can be understood as follows: a final state of P ] A Q is a final state of 
Q that can be reached from a set of input states s of Q that is available to P as a 
set ac' of angelic choices. 

In Appendix [F] we explore and prove properties observed by the j A operator. 
Based on those results, and the fact that ok and ok' are not free in neither the pre 
nor postcondition, it is possible to characterise the sequential composition of two 
angelic designs as follows. 


Theorem T.4.5.1 


Provided ok and ok' are not free in P, Q , R and S, and that 
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-i P and Q are PBMH -healthy, 

(P b Q) ; Vac (R b S) = (-1 (-1 P ; A true ) A -> (Q ; A -> R) b Q ; A (R => S)) 


The result obtained is very similar to that of sequential composition for the original 
theory of designs P2EQ, except for the postcondition and the fact that we use the 
operator ] A instead of the sequential composition operator for relations [82]. While 
the precondition guarantees that it is not the case that Q establishes -> R, the 
implication in the postcondition acts as a filter that removes final states available 
for angelic choice in Q that fail to satisfy R. We consider the following Example |24| 

Example 24 

(true b {x H > 1} G ac' A {a; i—» 2} G ad) j Vac (s.x ^ 1 h s G ad) 


{Theorem IT. 4.5. 11} 

( -i (-i true ; A true) A -> (({x hg 1} G ad A {x H» 2} G ad) ; A s.x — 1) ^ 

b 

\ ({x i—>- 1} G ad A {x H» 2} G ac') (s.x ^ 1 s G ad) ) 

{Predicate calculus} 

( -i (false ; A true) A -> (({x hg 1} G ad A {x H> 2} G ad) ; A s.x — 1) ^ 

b 

\ ({x t-G 1} G ac' A {xG 2} G ad) ; A ( s.x / l^sG ad) ) 

{Property of ] A ) 

/ -i false A -i (({x G 1} G ad A {x G 2} G ad) ; A s.x = 1) \ 

b 

\ ({x t-G 1} G ac' A {xG 2} G ac') ; A ( s.x / l4sG ac') ) 

{Predicate calculus} 

( -n (({x g1}g ad A {xg 2} G ad) ; A s.x = 1) ^ 

b 

\ ({x G 1} G ad A {x G 2} G ac') j A ( s.x ^ 1 A s G ac') / 

{Definition of ] A and substitution} 

( -n ({x hg 1} G {s | s.x = 1} A {x SG 2} G {s I s.x = 1}) ^ 

b 

\ ({x Gl}G{s|s.x^lGsG ac'} A {xG 2} G {s s.x ^ 1 A s G ac'}) / 

{Property of sets} 
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( -n ({x i-)- l}.x = 1 A {i 4 2}.x = 1) ^ 

h 

\ ({a; 1 —v l}.x 7 ^ 1 =>■ {x t-)- 1} e ac ') A ({a; ha 2}.x ^ 1 =>■ {a; ha 2} e ac') / 

{Value of component x} 

( -i (1 = 1 A 2 = 1) \ 

h 

\ (1 7 ^ 1 =>- {x i—> 1} G ac') A (2 7 ^ 1 =>• {a; ha 2} G ac') / 


/ true \ 

= h 

\ (false =>■ {x 1 —> 1} G ac ') A (true {a; 1 —)• 2} E ac') / 
= (true I-{ia 2}6 ac') 


{Predicate calculus} 


{Predicate calculus} 


In this case, there is an angelic choice between the assignment of the value 1 and 2 
to the program variable x, sequentially composed with the program that aborts if x 
is 1 and that otherwise behaves as Skip. The resulting design is just the assignment 
of 2 to re that avoids aborting. In this case, the implication in the postcondition 


of Theorem T.4.5.1 is discarding the angelic choice where x is 1. 

If we consider designs that observe H3, we can simplify the result further as there 


are no dashed variables in the precondition as established by Theorem T.4.5.2 


Theorem T.4.5.2 Provided ok and ok' are not free in P, Q, R and S , and that 


P and Q are PBMH -healthy, and that ac' is not free in P , 


(P h Q) ; Vac (RL S) = (P A -> (Q ; A -> R) h Q ; A (R => S)) 


This is similar to the definition of sequential composition for designs where the 
precondition is a condition [51] , except for the use of the operator ] A . 


Closure 


It is important that we establish closure of sequential composition {' Wac ) with re¬ 
spect to A. The proof of the following closure theorem relies on results established 
in Appendices [E] and |F] 


Theorem |T.4.5.3 

and Q, 


Provided P and Q are A-healthy and ok, ok' are not free in P 


MP ,W Q) = P Q 
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This result establishes that \ Vac is closed with respect to A provided both operands 
are also A-healthy. 


Sequential Composition in Extended Binary Multirelations 


The following Theorem T.4.5.4 establishes that for designs that are A-healthy, the 
definition of sequential composition corresponds to that in the isomorphic model of 
extended binary multirelations. 


Theorem T.4.5.4 Provided P and Q are A-healthy designs, 


bmb2d(d2bmb(P) ; BM d2bmb(Q )) = P ; Vac Q 


Together with the closure of ] Vac , this result enables us to ascertain the closure of 

1BM ±_' 

In what follows, we concentrate our attention on important properties observed 
by the sequential composition operator. 


Skip 

Similarly to the original theory of designs, we identify the Skip of the theory. We 
denote it by Ip ac and define it as follows. 

Definition 97 (Skip) Hv ac = (true b s G ac') 


This is a design whose precondition is true , thus it is always applicable, and upon 
terminating it establishes that the input state s is in all sets of angelic choices ac'. 
The only results that can be guaranteed by the angel are those that are available in 
all demonic choices of the value of ac' that can be made. In this case, s is the only 
guarantee that we have, so the behaviour of ILx> ac is to maintain the current state. 
The following Theorems |T. 4.5.5 and |T.4.5.6 establish that Ev ac is A-healthy and 
that it is the left-unit for sequential composition 


Theorem T.4.5.5 A(IT- Dac ) = JL 


'-'Vac 


Theorem T.4.5.6 Provided P is a design, U^ac ivac P = P 


These results confirm that I Ivac is indeed a suitable definition for the identity. We 
observe that ILvac is only a right-identity for angelic designs that are H3-healthy. 
This is the motivation for the following discussion. 
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In what follows we establish that an H3-design in onr theory requires the pre¬ 
condition not to mention dashed variables, as expected [39]. We first show the result 


of sequentially composing an A-healthy design P with E-pac hi Theorem T.4.5.7 


Theorem T.4.5.7 Provided P is an A-healthy design. 


P bac Zvac = ((-> 3 ac • P f ) b P l ) 


Finally Theorem T.4.5.8 establishes that P \ Vac Ex>ac = P restricts the precondition 
to a condition. 


Theorem T.4.5.8 Provided P is an A-healthy design, it is H3-healthy if, and 
only if, its precondition does not mention ac', 


(P bac X-Dac) = P ((3 ttd • P f ) = P f ) 


Sequential Composition and the Extreme Points 


We now explore the consequences of sequentially composing a program with the 
extreme points of the lattice. As expected, we establish the same left-zero laws that 
hold in the original theory of designs [ 55] . 

The following Theorem T.4.5.9| shows that it is impossible to recover from an 
aborting program. Theorem T.4.5. 10| establishes that if a design is miraculous then 
sequentially composing it with another design does not change its behaviour. 


Theorem T.4.5.9 


Theorem T.4.5.10 


P-V bac P ~ Pv 
T © bac P = Pv 


Both of these results are expected of a theory of designs [39J. 

This concludes our discussion of sequential composition. In the following Sec¬ 
tions |4Jn3] and 0A4] we concentrate our attention on nondeterminism. 


4.5.3 Demonic Choice 

The intuition for the demonic choice in our theory is related to the possible ways of 
choosing a value for ac'. In general, this can be described using disjunction like in 
the original theory of designs [39j- 


Definition 98 P C Vac Q = P V Q 
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This corresponds to the greatest lower bound of the lattice. We consider the follow¬ 
ing example, where © is the overriding operator |9]. 

Example 25 

(x := 1) n -Dae (x := 2) {Definition of assignment} 

= (true b s © (x H > 1) G ac') n x>ac (true b s © (x <—>■ 2) E ac') 

{Definition of n vac and disjunction of designs} 

= (true b s © (x H» 1) E ac' V s © (x H» 2) G ac') 

In this example we have at least two choices for the final value of ac'-. one has a state 
where x is 1 and the other has a state where x is 2. The demon can choose any set 
ac' satisfying either predicate. In this case, the angel is not guaranteed to be able 
to choose a particular final value for x, since there are no choices in the intersection 
of all possible choices of ac'. 


Closure Properties 


The demonic choice operator is closed with respect to A, provided 
erands are also A-healthy. This result follows from the distributive 
with respect to disjunction, as established by the following Theorem 


that both op- 
property of A 
T.4.5.11 


Theorem T.4.5.11 


Provided P and Q are designs, 


A(P V Q) = A(P) V A(Q) 


Theorem T.4.5.12 


Provided P and Q are A-healthy designs, 


A(P H Vac Q) = P n Vac Q 


Relationship with Extended Binary Multirelations 


The demonic choice operator (rix> ac ) corresponds exactly to the demonic choice op¬ 
erator (fl bm ± ) of the binary multirelational model. This result is established by the 


following Theorem T.4.5.13 


Theorem T.4.5.13 bmb2p(B 0 \1 BM± B\) = bmb2p(B 0 ) n x> ac bmb2p(Bi 


This result confirms the correspondence of demonic choice in both models. In what 
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follows we focus our attention on its properties. 


Properties 


In general, and since demonic choice is the greatest lower bound, if presented with 
the possibility to abort (_Lp), we expect the demon to choose the worst possible 


outcome as shown by the following Theorem T.4.5.14 


Theorem T.4.5.14 P n- D 


-L© — 


-v 


As observed in the original theory of designs [3D], the sequential composition op¬ 
erator distributes through demonic choice, but only from the right as established 
by Theorem T.4.5.15[ 


Theorem T.4.5.15 (P H Vac Q ) ; Vac R = (P ; Vac R) H Vac (Q ; Vac R) 


These results conclude our discussion regarding the demonic choice operator and 
its properties. In the following section we focus our attention on the angelic choice 
operator and its respective properties. 


4.5.4 Angelic Choice 

Similarly to other models, angelic choice is defined as the least upper bound, which 
in this case is conjunction. 

Definition 99 P l_l-£> ac Q = P A Q 

This definition is justified by the correspondence with the angelic choice operator of 
the binary multirelational model of Chapter [3j 

To provide the intuition for this definition we consider the following Example [26] 

Example 26 


((x H > 1) ^ ac' b (x H» 1) G ac') U Va c (true h (i 2) 6 ac') 

( (i 4 1) ^ ac' V true \ 

b 

f (i 4 1) ^ ac' =5- (x i-)- 1) e ac' \ 


(Definition of Ux) ac } 


V 


A 


\ true => (x i—> 2) e ac' y 

= (true b (i 4 1) 6 ac' A (x H > 2) G ac') 




{Predicate calculus} 
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It considers the angelic choice between a design that assigns 1 to the only program 
variable x, but does not necessarily terminate, and a design that assigns 2 to x, but 
terminates. The result is a program that always terminates and, for every set of 
final states, there is the possibility to choose angelically the assignment of the value 
1 or 2 to x. 


Closure Properties 

Having defined angelic choice as the least upper bound operator, in the following 


Theorem T.4.5.16 we prove that it is closed under A, provided that both operands 


are A-healthy. 


Theorem T.4.5.16 Provided P and Q are A-healthy, 


A (P U x>ac Q) — P LI Vac Q 


The proof for this theorem relies on the closure of PBMH for conjunction. 


Relationship with Extended Binary Multirelations 


Theorem T.4.5.17 establishes that the angelic choice operator of the designs and the 
binary multirelations models are in correspondence. This requires the operands to 
be BMHl-healthy. This is satished by every binary multirelation that is BMHO- 
BMH2. 


Theorem T.4.5.17 Provided B 0 and B\ are BMH1 -healthy, 


bmb2p(B 0 U B m ± Hi) = bmb2p(B 0 ) U Vac bmb2p(B 1 ) 

Having established the correspondence of the angelic choice operator in both models, 
in the following section we focus on its properties. 


Properties 

In general, and since angelic choice is the least upper bound, the angelic choice of a 
design P and the top of the lattice (Tp) is also Tp. 


Theorem T.4.5.18 Provided P is a design, P U x> ac Tp = Tp. 


In this model, sequential composition does not necessarily distribute from the right 
nor from the left. In order to explain the intuition behind this we present the 
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following Counter-example [2] for distribution from the left. 


Counter-example 2 Assuming ; v distributes over fl x> ac from the left, 


/ (true bsffi(i4l)G ac') \ 


( (s.x = 1 b false) ^ 


iT)ac 

U 

\ (true b s © (x 4 —1) G ac') y 


^ (s.x = — 1 b false) J 


{Assumption} 


V 


( (true f s ffi (1 4 1) G ac') ^ 

n Dae 

\ (true b s © (x 1-4 —1) G ac') / 

LI Dae 

f (true b s © (x h4 1) G ac') \ 

n T>ac 

\ (true b s © (r —1) G ac') / 


\ 


>T>ac 


( s.x = 1 b false) 


>T>ac 


( s.x = —1 b false) 




{Definition of n} 

( ((true b s © (x 1 —» 1) G ac' V s © (x e4 —1) g ac') ; Vac (s.x — 1 b false)) ^ 

L Vac 

\ ((true bs®(i4l) G oc' V s©(i4 —1) G ac') ; Vac (s.x = — 1 b false)) ) 

{Theorem IT. 4.5. 11} 

/ ( (true ; A true) A \ \ 

-> ((s © (x 1 —* 1) G ac' V s © (x 1 —> —1) G ac') ; A s.x 1) 
b 

y (sffi (1 4 1) G ac' V sffi (s 4 —1) G ac') j A (s.x — 1 =>• false) 

Cx>ac 

^ (true ; A true) A \ 

-1 ((s © (x 4 1) G ac' V s © (x 4 —1) G ac') j A s.x 7 ^ —1) 
b 

V y (s © (x 14 1) G ac' V s © (x —1) G ac') j A (s.x — —1 =>■ false) y ) 

{Predicate calculus} 
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/ ( (true ; A true) A \ \ 

((s © (x i — y 1) G ac' V s© (i i— y —1) G ac') ; A s.x ^ 1) 
b 

y (s©(nAl)6ac'Vs®(a;iA —1) G ac') ; A sj/ 1 J 

I—I T>ac 

( (true ; A true) A \ 

-i ((s©( igI) e ac* Vs©(i 4 —1) G ac 1 ) ; A s.x 7^ —1) 
b 

\ y (s© (iG 1) G ad V s© (i G —1) G ac') ; A s.x 7^ — 1 J J 

{Property of ] A and propositional calculus} 

/ / -i ((s © (x ha 1) G ac' V s © (x eG —1) G ac') ; A s.x 7^ 1) \ \ 

b 

^ (sffi(iGl)Gac'Vs©(j;G —1) G ac') ; A s.x ^ 1 / 

l—^X>ac 

^ -i((sffi(j:Gl)Gflc'Vsffi(iG —1) G ac') j A s.x 7^ —1) \ 
b 

\ (sffi(iGl)Gac'Vsffl(j:G —1) G ac') ; A s.x 7^ —1 J J 

{Definition of \ A and subsitution} 

/ / -i (s © (x h-> 1 ) G {z j z.x 7^ 1 } V s © (x i-7 — 1 ) G {z \ z.x ^ 1 }) \ \ 

b 

\ (s © (x (->• 1 ) G {s | s.x 7^ 1 } V s © (x (->• — 1 ) G {s | s.x 7^ 1 }) / 

Dx>ac 

^ -i (s © (x (->• 1 ) G {z | z.x 7^ — 1 } Vs©(iG — 1 ) G {z \ z.x 7^ — 1 }) \ 
b 

\ \ (s © (x HA 1 ) G {s I s.x 7^ — 1 } V sffi (11 —y — 1 ) G {s | s.x 7^ — 1 }) / ) 

{Property of sets and predicate calculus} 

/ / -1 (-1 (s © (x (->• T).x 7^ 1) V -1 (s © (x HA -l).x 7^ 1)) \ \ 

b 

\ true 
L-lvac 

( -i (-> (s © (x i-G T).x 7^ —1) V -1 (s © (x ha —l).a; 7^ —1)) \ 
b 

\ \ true 


) 


J 


) 


{Property of ©} 
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{Propositional calculus} 


/ (-■ (-> false V -i true ) b true ) \ 

LVac 

\ (-i (-i true V -i false ) b true ) / 

(false b true) Ux> ac (false b true) {Property of Ux> ac } 

(false b true) {Definition of design and propositional calculus} 

true {Definitionf of _l_x>} 


~ -J-D 


This is a sequential composition. In the first program the precondition always holds 
and the program presents a choice to the demon. In this case, the demon can 
choose the set of final states, ac', by guaranteeing that either x is set to 1 or —1 in 
the final set of states ac'. The second program presents an angelic choice, but the 
precondition makes a restriction on the value of x in the initial state s : in either 
case, if the precondition is satisfied the program is T-p, otherwise if no precondition 
can be satisfied, the program behaves as _l_x>. 

It is expected that the angel will avoid Id if possible. In this case, it is expected, 
since the angel can avoid aborting irrespective of the choice the demon makes before 
the angel. However, if we assume that the sequential composition operator ] Vac 
left-distributes over angelic choice we get a different result as shown above. 

In addition, sequential composition does not distribute from the right. We il¬ 
lustrate this in Counter-example [3j It is the sequential composition of two designs. 
The first design is the angelic choice between the program that assigns 2 to x, but 
may not terminate, and the program that always terminates but whose final set of 
states ac' is unrestricted, except that it cannot be the empty set. The second design 
is miraculous for s.x = 2 and for every other value of s.x it aborts. 


Counter-example 3 


( ((x i-)- 2) ^ ac! b (x h - )• 2) G ac') 

\ 


( s.x = 2 

\ 

L-lpac 


’Vac 

b 


^ (true b ac' ^ 0) 

) 


^ s.x ^2 A 

ac' 7^ 0 / 


{Definition of L lv ac } 
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/ (x hg 2 ) ^ ac' V trite 
b 

( (i H 2) ^ ac' =>■ (x hg 2) G ad 
A 

\ \ trite ^ ac' 7 ^ 0 


\ 

\ 

/ / 


>Vac 


( s.x = 2 ^ 

b 

y sj / 2 A ac' 7 ^ 0 / 


{Predicate calculus} 

= (trite h (1 G 2) £ ac' A ad d 0) ;x> ac ( s -‘ r = 2 b s.x 7 ^ 2 A ac' 7 ^ 0) 

{Property of sets and predicate calculus} 

= (trite b (x hg 2) G ac') ; Vac ( s.x = 2 b s.x d 2 A ad d 0) {Theorem IT.4.5.11} 

/ -1 (false ; A true ) A -1 ((x 1 —y 2) G ac' j A s.x d 2) \ 

— g 


^ (1 G 2) G ac' ;_4 (s.x = 2 =>• (s.x / 2 A ac' 7 ^ 0)) y 

/ -1 (false ; A true) A -1 ((x i—> 2) G ad ; A s.x 7 ^ 2) \ 
b 

y (x G 2 ) G ad ; A s.x 7 ^ 2 ) J 


{Predicate calculus} 


{Definition of ] A and substitution} 


( * false A -1 ((x G 2) G {z | z.x d 2}) ^ 
b 

^ (x hg 2) G {2 | z.x d 2} / 

^ -1 false A -1 ((x hg 2).x d 2) ^ 
b 


{Property of sets} 


{Predicate calculus} 


\ (xg 2).x d 2 / 

= (—> (2 7 b 2) b 2 7 ^ 2) {Predicate calculus} 

= (true b false ) {Predicate calculus and definition of Tx>} 

= T V 


7^ 

^ ((x g2) 0 ac' b (x G 2) G ac') ; r , ac (s.x = 2 b s.x 7 ^ 2 A ac' 7 ^ 0) ^ 
bx>ac 

y (true b ac' 7 ^ 0) ; Vac (s.x = 2 b s.x 7 ^ 2 A ac' / 0) y 

{Theorem IT. 4.5. 11} 
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( 


) 


) 


( ( -i ((x H» 2 ) G ac! ,' A true ) A -> (( x 4 2) e ac' ; A s.x 2 ) ^ \ 
b 

\ (x i -4 2 ) G ac' ; A {s.x = 2 =>■ (s.x / 2 A ac' / 0 )) 

Uuac 

/ -i {false ; A true ) A {ac' 0 s.x 7^ 2 ) \ 

b 

y ac' 7^ 0 ;_4 (s.x = 2 =^- (s.x ^ 2 A ac' 7^ 0 )) / 

{Predicate calculus} 

-1 ((x 1-4 2 ) G ac' true) A -> ((x 4 2 ) 6 ac' s.x 7^ 2 ) ^ \ 

b 

(x 4 2) 6 ac' ; A s.x 7^ 2 
Ul)ac 

/ -i {false j A true ) A (ac' 7^ 0 s.x 7^ 2 ) ^ 
b 

\ ac' 7^ 0 ;_4 s.x 7^ 2 

{Definition of j A and substitution} 
/ -1 ((x 14 2 ) G {z | true}) A -> ((x 4 2 ) 6 {z z.x 7^ 2 }) \ \ 


y 


/ 


y 


h 

y (x h4 2 ) G {z | z.x 7 ^ 2 } 

Urac 

-1 false A -i ({z | z.x 7 ^ 2} 7 ^ 0) \ 


y 


h 


\ \ {z | Z.x 7 ^ 2} 7 ^ 0 


y 


y 


{Predicate calculus} 


{Predicate calculus and property of sets} 

( / -1 true A -i (x 4 2).x / 2 \ \ 
b 

y (x4 2).x 7 ^ 2 / 

Lbac 

/ -1 false A -1 trae \ 
b 

y \ true ) ) 

= {false b false ) Ux> ac {false b true) {Predicate calculus and definition of _!_£>} 
= _l_£) Ux)a C 2-n {Definition of Ux> ac , J-z> and predicate calculus} 

= J -v 


When the angelic choice is resolved first the result is the program that always ter- 
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minates and whose set of final states ac' has a state where x is assigned the value 
2. Sequentially composing this with the second design results in a miracle (T x>) as 
the only state available for angelic choice is where x has the value 2. And this is 
precisely the case in which the design behaves miraculously. 

If we distribute the sequential composition through the angelic choice, in the 
resulting angelic choice there are two sequential compositions. In the first one, the 
result is _!_x> as the first design may not terminate. In the second, termination is 
guaranteed but any final set of states ( ac' ^ 0) may fail to satisfy the precondition 
s.x = 2, in which case the design aborts. In conclusion, angelic choice does not 
distribute through sequential composition at all. 


4.6 Relationship with Designs 


In this section we study the relationship between the model of A-designs and the 
original theory of homogeneous designs of Hoare and He |39| . As we depict in 


Figures [1.1| and |1.4[ this is achieved by defining a pair of linking functions: d2ac, 
which maps from designs into angelic designs, and ac2p, which maps in the opposite 
direction. 


In the following Section 4.6.1 we introduce the definition of d2ac. In Section 4.6.2 


we define ac2p and discuss how the angelic nondeterminism of a theory can be 


removed. Finally in Section |4.6.3| we establish that there is a Galois connection 
between the theory of A-designs and the original theory of designs, and that there 
is an isomorphism when we consider the subset of A2-healthy angelic designs. 


4.6.1 From Designs to Angelic Designs ( d2ac and p2ac ) 

The main concern when mapping a design into an angelic design pertains to encoding 
both the pre and postcondition in terms of a single initial state s and a set of final 
states ac'. Since the model of A-designs is also a theory of designs, ok and ok' retain 
the same meaning. The function d2ac is defined as follows. 

Definition 100 d2ac(P) = (-i p2ac{P f ) A (-< Pf[s/ina_ ok ] ; true ) F p2ac(P t )) 

The negation of the precondition P* and the postcondition are mapped using the 
auxiliary function p2ac, while the second conjunct in the precondition of the angelic 
design requires that whenever -> pf holds, then there is some final observation of 
the values of the variables in outa. The predicate —> F[s/ma_ 0 J ; true can be 
restated as 3 outa • —> Pf[s/ina_ 0 k\. Essentially this allows the value of ac' to be 
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Figure 4.1: Encoding variables in a theory of angelic designs using p2ac 


unspecified when the precondition -> P* is not satished. This is dehned using the 
substitution operator [s/S'cc], where the boldface indicates that s is a record, and 
so the substitution is not simply s for Sol. Instead, for an arbitrary set of variables 
Sa, the substitution operator needed is dehned as follows. 


Definition 101 P[z/Sa\ = P[z.so, ..., z.s n /so, ..., s n ] 


Each variable s* in Sa is replaced with z.Si. As an example, we consider the sub¬ 
stitution (x' = 2 A ok')[s,z/ina- 0 k, outa- 0 k'], whose result is z.x' = 2 A ok'. The 
substitution [z/Sa] is well-formed whenever Sa is a subset of the record components 
of z. In Appendix [D] we establish properties satisfied by this operator. 

The main purpose of p2ac is to encode predicates in terms of s and ac!. For 
a given predicate P whose input and output alphabets are ina and outa, respect¬ 
ively, its encoding in a theory with angelic nondeterminism is given by the following 


function p2ac, which we illustrate in Figure 4.1 


Definition 102 p2ac(P) = P[s, z/ina- Q k, outa- 0 k>] A undash(z) G ac' 


First, each variable in the set of input and output variables, other than ok and ok', 
is replaced with the corresponding component of the initial state s and a final state 
z from the set of final states available for angelic choice. Since in our encoding states 
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have undashed components, we require undash(z) to be in ac'. 

The result of p2ac is upward-closed, that is, the predicates in the range of p2ac 


are fixed points of PBMH as established by the following Lemma L.4.6.1 


Lemma L.4.6.1 PBMH o p2ac(P) = p2ac(P) 


As previously discussed, this property is essential for a theory of angelic non¬ 
determinism. The function p2ac distributes through disjunction as established by 
the following Theorem T.4.6.1| 


Theorem T.4.6.1 p2ac(P V Q) — p2ac{P) V p2ac(Q) 


In the case of conjunction there is an implication as established by Theorem T.4.6.2 
rather than an equality, as p2ac is defined using an existential quantifier. 


Theorem T.4.6.2 p2ac(P A Q) =>- p2ac(P) A p2ac{Q ) 


More importantly, the result of p2ac is A2-hcalthy as established by Theorem T.4.6.3 


Theorem T.4.6.3 A2 o p2ac{P) = p2ac(P) 


This is expected since the original predicates mapped by p2ac do not have angelic 
nondeterminism. 

A consequence of the definition of p2ac is that it requires ac' not to be empty, 


unless P is itself false. In the following Theorem T.4.6.4 we consider the application 
of p2ac to a design P when ac' is not empty. 

Theorem IT. 4.6. 41 

ac' 0 A p2ac(-i P f h P l ) = ac’ ^ 0 A (-< p2ac(P f ) h p2ac(P t )) 

In this case p2ac can be applied directly to the negation of the precondition P? 
and the postcondition P l of a design P. This result sheds light on the relationship 


between p2ac and d2ac as established by Theorem T.4.6.5 


Theorem T.4.6.5 Provided P is a design, 


ac 7 ^ 0 A p2ac(P) = ac' ^ 0 A d2ac[P ) 


When we consider the case of a design whose set of final states ad is not empty, 
then d2ac is simply p2ac. 
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Finally, we establish that d2ac yields an A-healthy design, that is, the designs 
in the range of d2ac are fixed points of the healthiness condition A. 


Theorem T.4.6.6 A o d2ac(P ) 


d2ac(P ) 


This concludes our discussion regarding the definition of d2ac and its most important 
properties. 


4.6.2 Removing Angelic Nondeterminism (ac2p) 

The mapping from angelic to non-angelic predicates is defined by ac2p, whose goal 
is to collapse the set of final states ad into a single state, and, introduce the input 
and output variables as used in other theories. Its definition is presented below. 

Definition 103 


ac2p(P) = P~BM.H(P)[State]j(ina- 0 k)/s\ ,' A x : outa.- 0 k' • dash(s).x = x 


First, for a predicate P, ac2p takes the result of applying PBMH to P to achieve 
upward closure of ad. This is followed by the replacement of s to introduce the 
corresponding input variables of the set ina- 0 k, which excludes ok. As already 
mentioned, the observational variables ok and ok' retain the same meaning in the 
theories considered. Finally, the resulting predicate is sequentially composed, us¬ 
ing ; A , with a predicate that introduces the corresponding output variables of the 
resulting final state, except for ok'. For a set of variables Sa, Statejj(Sa) is an 
identity record, whose components s* are mapped to the respective variables sy 


Definition 104 Statejj(Sa) = {s 0 H > s 0 ,..., s n t-A s„} 


As an example, we consider the substitution (s.x = 1 A ok) [State jj ok (ina) / s\, 
whose result is x = 1 A ok. If we consider the definition of PBMH and ] A , then 


ac2p can be rewritten as established by the following Lemma L.4.6.2 


Lemma IL.4.6.21 


ac2p(P) = 3 ad 


( P[Stateii(ina)/s\ ^ 

A 

\ V z • z G ad =>■ (/\ x : outa • dash(z).x = x) ) 


That is, the variable ad is quantified away, and for each state z in the set ad, the 
output variables in outa , except for ok', are introduced and set to the respective 
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values of the components of z. Since in our encoding the components of a state are 
always undashed, we apply the function dash(z) to z. If there is more than one state 
in ac', then ac2p yields false as no x variable can take on more than one value. 

4.6.3 Isomorphism and Galois Connection 

Having defined a pair of linking functions between the theory of angelic designs 
and designs, in this section we show that, in general, there is a Galois connection 
between the two theories. In addition, when we consider the subset of A2-healthy 
designs these two theories can be shown to be isomorphic. 


From Designs 

The mapping of a design P through d2ac and then ac2p yields the same design P 


as established by the following Theorem T.4.6.7 


Theorem T.4.6.7 Provided that P is a design, ac2p o d2ac(P ) = P. 


That is, in the theory of angelic designs we can model the original designs of Hoare 
and He (3j9] without angelic nondeterminism. This is a reassuring result which 
confirms the suitability of our model. 


From Angelic Designs 

When the linking functions are applied in the reverse order, however, we do not 


obtain the same design P. This result is established by Theorem T.4.6.8 


Theorem T.4.6.8 Provided P is an A-healthy design, d2ac o ac2p{P) □ P. 


In general, the result of the application of ac2p followed by d2ac to an A-healthy 
design P is stronger than P. This is because the angelic nondeterminism is removed. 
For instance, the mapping of an angelic choice over two assignments x : = 1 and 
x := 2 yields the top of the lattice Tp>. 


Example 27 


d2ac o ac2p(x 1 U x 2) {Definition of assignment and Ll} 

= d2ac o ac2p(true b s © {x 1} G ac' A s © {x H » 2} G ac ') 


{Lemma IL.C.5.471 } 
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/ -i p2ac(ac2p(false )) A (3 outa • -> ac2p{false)[s / ina ]) \ 

h 

\ p2ac(ac2p(s © {x 1} G ac' A s © {x ha 2} e ac ')) ) 


\ 


{Lemma I L. Cm. 271 } 


/ -i p2ac(false ) A (3 outa • -> false[ s/ ina ]) 

h 

\ p2ac(ac2p(s © {x i—> 1} e ac' A s © {x i— j- 2} e ac')) / 

{Predicate calculus and Lemma IL.G.5.31 } 

/ true \ 

h 

\ p2ac(ac2p(s © {x i-> 1} e ac' A s © {x i— j- 2} e ac')) / 

/ trrte 

h 

/ s © {i K 1} 6 ac' \ 


{Lemma IL.5.3.11} 


3 ac 0 , y 


V 


A 


\ s © {r H- 2} e ac' / 


= (true h false ) 
= T V 


[aco/ac'j A aco C {?/} A y £ ac' 

{Substitution and property of sets} 
{Definition of Tx>} 


The results of Theorems IT. 4.6. 81 and IT. 4.6. 71 establish that we have a Galois con¬ 
nection between the two theories. 


From A2-healthy Angelic Designs 

If we consider the subset of A-healthy designs that is in addition A2-healthy, then 


we can prove the reverse implication of Theorem T.4.6.8 as established by the fol¬ 
lowing Theorem T.4.6.9| 


Theorem T.4.6.9 Provided P is an A0-A2 -healthy design, d2ac o ac2p{P) jZ P. 


Together these results allow us to prove that there is a bijection for the subset of 
A2-healthy designs. 


Theorem T.4.6.10 Provided P is a design that is AO-A2 -healthy. 


d2ac o ac2p(P) = P 
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Proof. Follows from Theorems T.4.6.8 and T.4.6.9 


□ 


This result confirms that these models are isomorphic as depicted in Figure 1.1 


This concludes our discussion on the relationship between the original theory of 


designs and the model of angelic designs. In the following Section 47 we focus our 
attention on the relationship with the PBMH theory 


4.7 Relationship with the PBMH Theory 


The final link that we study in this chapter pertains to the relationship between 
the model of A-designs and the theory of angelic nondeterminism of Cavalcanti et 
al. [38]. As previously discussed in Section 2.4.4, in that theory the alphabet consists 


of the input program variables, and a single output variable ac', which is a record 
whose components range over the dashed output program variables. In addition, 
termination is captured without considering ok and ok'. 

When establishing a link between the theories of interest, the first concern is 


their alphabets. As we discussed in Section 4.1, the ac' of both theories can be 


related through the functions undashset and dashset, which undash and dash the 
components of every state in a set, respectively. 

In order to relate both theories, we introduce a pair of linking functions, d2pbmh , 
which maps A-healthy designs to PBMH predicates, and phmh2d, which maps 
predicates in the opposite direction. We introduce their definitions in the follow¬ 


ing Sections 4.7.1 and 4.7.2 Finally in Section 4.7.3 we show that there is a Galois 
connection between the theories, and that in general, the subset of angelic designs 
that is H3-healthy is isomorphic to the theory of [38] . 


4.7.1 From Angelic Designs to PBMH ( d2pbmh ) 

In order to map angelic designs into the theory of PBMH, it is necessary to hide 
the variables ok and ok', introduce the input variables in ina , and appropriately 
dash the set of final states ac'. This is captured by the function d2pbmh as follows. 

Definition 105 


d2pbmh : A —* PBMH 

d2pbmh(P) = (-< P f => P^frue/ok][undashset(ac)/ac'][Statejj(ina- 0 k)/s] 

First we consider the implication between the precondition -i P? and postcondition 
P* of a design P. We require that ok is true and perform the following substitutions. 
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Since the new variable ac' considers dashed components, the old variable ac! is 
replaced with an undashed version of ac'. Finally, the input variables in ina_ 0 k, 
which excludes ok, are introduced via the substitution of State jj (ina_ 0 k) for s. 

We consider Example |28j where d2pbmh is applied to the assignment x := 1. 

Example 28 

d2pbmh(x := 1) {Definition of assignment} 

= d2pbmh(true b s © {x K > 1} € ac') {Definition of d2pbmh } 

= (true =>- s © {x K» 1} G ac')[true/ok\[undashset(ac') / ac'][Stateu(ina- 0 k) / s\ 

{Substitution} 

= true =>• Statejj(ina-ok) © {x 1} e undashset(ac’) {Predicate calculus} 

= State u(ina-ok) © {a; h -> 1} G undashset(ac') {Dehnition of State jj} 

= {a<) (->■ xq, ..., x n x n } © {i 4 1} e undashset(ac') {Dehnition of Qina} 

= Qina © {x t-)- 1} G undashset(ac') {Property of sets, dash and dashsset} 

= (Qina)' © {x' 1} g ac' 


The result is the corresponding assignment in the PBMH theory p3], where the 
state obtained by dashing every component of the initial state Qina is overridden 


so that the component x' takes the value of 1. The following Theorem T.4.7.1 
establishes that d2pbmh yields predicates that are PBMH-healthy. 


Theorem T.4.7.1 


Provided P is PBMH -healthy, 


PBMH o d2pbmh(P) = d2pbmh(P) 


That is, when d2pbmh is applied to an angelic design that is A-healthy, then it is 
also PBMH-healthy. Therefore the application of d2pbmh yields a PBMH-healthy 
predicate as required. 


4.7.2 From PBMH to Angelic Designs ( pbmh2d ) 

In order to define a mapping in the opposite direction, we need to consider how to 
express a precondition in the theory of [35] • In that model, successful termination is 
guaranteed whenever ac' is not empty. The dehnition of the mapping from PBMH 
into angelic designs, pbmh2d, is defined below. 
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Definition 106 


pbmh2d : PBMH —» A 

pbmh2d(P) = (-> P[$/ad] b P[dashset(ad) / ad])[s/inot- 0 k] 


The precondition of the corresponding A-design requires that ad is not empty. In the 
postcondition we substitute the existing set of final states ad with a dashed version 
dashset(ad). Finally, we require that the initial variables of P are components of 


the initial state s. In the following Theorem |T. 4.7.21 we prove that pbmh2d yields 
designs that are A and H3-healthy. 


Theorem T.4.7.2 Provided P is PBMH -healthy, 


A o H3 o pbmh2d(P) = pbmh2d(P ) 


Similarly to the definition of d2pbmh , the proviso of Theorem T.4.7.2 ensures that 
the function is only applied to predicates that are PBMH-healthy. 


4.7.3 Galois Connection and Isomorphism 


In general, the model of angelic designs can express every existing program of the 
theory of [38]. That is, those programs can be specified as angelic designs, where the 
precondition may not refer to the final set of states ad. This is formally established 


by the following Theorem T.4.7.3 


Theorem T.4.7.3 Provided P is PBMH -healthy, d2pbmh o pbmh2d(P) = P. 


Its only requirement is that the predicate must be PBMH-healthy. 

However, when we consider the reverse functional composition of d2pbmh and 


pbmh2d, we obtain a different result as established by Theorem T.4.7.4 


Theorem T.4.7.4 Provided P is an A-healthy design, 


pbmh2d o d2pbmh(P) C P 


This is because the theory of [38] cannot model sets of final states where termination 
is not guaranteed, as is the case for angelic designs which are not H3-hcalthy. Hence, 
these two results establish that the two adjoints form a Galois connection. 

If we consider the subset of angelic designs that are, in addition, H3-healthy, 
then we obtain a bijection via the functions d2pbmh and pbmh2d, as established by 
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the following Theorem T.4.7.5 


Theorem T.4.7.5 Provided P is design that is A and H3-healthy, 


pbmh2d o d2pbmh(P) = P 


While this is an expected result, it is reassuring that the subset of our theory that 
is H3-healthy is in exact correspondence with the lUTPl theory of [58]. 

We observe that the subset of the binary multirelational model of Chapter [3] 
that is BMH3-healthy is isomorphic to the original theory of binary multirelations. 
Since binary multirelations are also isomorphic to the IIJTPl theory of [38], the result 
presented in this section is also in agreement. 


4.8 Final Considerations 

In this chapter we have presented a new theory of designs where both angelic and 
demonic nondeterminism can be modelled. This consists of an extension of the 
binary multirelational encoding of [38] to include the auxiliary variables ok and ok' 
of the theory of designs [3B]. Our angelic designs are not necessarily H3-healthy as 
required for a treatment of processes. 

The healthiness conditions of the theory have been presented and their main 
properties proved. Through the development of the extended theory of binary mul¬ 
tirelations of Chapter [3] and the subsequent isomorphism, we have been able to 
justify and explore the definition of the operators and the refinement order. It 
is reassuring to know that the usual refinement order defined by universal reverse 
implication corresponds to subset inclusion in the binary multirelational model. 

Perhaps the most challenging aspect of the theory is that it relies on non- 
homogeneous relations. As a consequence, sequential composition cannot be defined 
as relational composition. While the definition may not be immediately obvious, it 
is more intuitive when considered in the equivalent binary multirelational model 
of Chapter [3] We have taken advantage of this correspondence to define an operator 
with the expected properties. 

In addition, we have established that every design can be expressed in the theory 
of angelic designs. Moreover, the subset of A2-healthy designs is isomorphic to the 
original theory of homogeneous designs of Hoare and He [ 55] , 

Finally, we have also studied the relationship between angelic designs and the 
IUTPI theory of [38]. This is a complementary result to the link between the model 
of BM± relations and that of the original theory of binary multirelations. This gives 
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us further assurance as to the capability to express the existing theories as a subset 
of our own correctly. 
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Chapter 5 

Reactive Angelic Designs 


Based on the theory of angelic designs and the principles underlying the theory 
of reactive processes, in this chapter we propose a natural extension to the IIJTPI 
theory of ICSPI where both angelic and demonic nondeterminism can be modelled. 


In Section 5.1 we introduce the principles underlying our approach and justify the 
encoding proposed for ICSPI In Section 5.2 the healthiness conditions of the theory 


are presented. Section A3 discusses the relationship between the new theory and the 
existing model of lCSPl The operators of the theory are discussed in Section A4 and, 
for each operator, we discuss the relationship with their respective counterpart in 
the original fCSPI theory. In Section 5.5 we characterise the important subset of non- 


divergent reactive angelic designs. Finally, we summarize our results in Section 5.6 


5.1 Introduction 


As discussed earlier in Section 2.5.4 the observational variables of the IIJTPI theory 
of ICSPI are ok and ok' to record stability, and the additional variables wait , tr 
and ref, and their respective dashed counterparts. Based on the concept of states 


originally introduced in Section 243 we consider a model where the observational 
variables of the theory of reactive processes are encoded as components of a State. 
We define the alphabet as follows. 


Definition 107 (Alphabet) 


ok, ok' : {true, false}, s : State({tr, ref, wait}), ad : P State({tr, ref, wait}) 


In addition to a single initial state s, a set of final states ad , and the observational 
variables ok and ok’ that record stability, we require that every State has record 
components of name tr, wait and ref. This enables the angelic choice over the final 
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or intermediate observations of tr, ref and wait. 

We next show how we can express every healthiness condition of the original 
theory of reactive processes, and ultimately ICSP1 in this new encoding. We then 
propose linking functions between the theories so that we can reason about the 
correspondence of the healthiness conditions and operators of both models. These 
are important aspects for establishing the validity of the model. 


5.2 Healthiness Conditions 


Since this is a theory with angelic nondeterminism, the set of final states ac! must 
be upward-closed, so relations in this theory need to satisfy PBMH. As previ¬ 
ously discussed in Section 2.5.4 , in the lUTPl ICSPI processes are characterised as 
the image of designs through the function R. In order to preserve the existing se¬ 
mantics, we propose a corresponding construction; in the following Sections |5.2.1 


to 5.2.5 we restate all the properties enforced by R in this new model. Namely, we 
define healthiness conditions RA1, RA2 and RA3, whose functional composition 
is named RA, and, CSPA1 and CSPA2. All the healthiness conditions discussed 


in this chapter are monotonic and idempotent. In Section 5.2.6 we show how this 


construction allows ICSPI processes with angelic nondeterminism to be expressed as 
the image of angelic designs through RA, the counterpart to R. 


5.2.1 RA1 

The first property of interest that underpins the theory of reactive processes is 
the notion that the history of events observed cannot be undone. In general, for 
any initial state x, the set of all final states that satisfy this property is given by 
States tr <tr' (z) as defined below. 

Definition 108 States tr <tr'(x ) = {z : State({tr, ref , wait}) \ x.tr < z.tr} 

This definition is used for introducing the first healthiness condition, RA1, that not 
only enforces this notion for final states in ac', but also requires that there is some 
final state satisfying this property available for angelic choice. 


Definition 109 RA1(P) = (PA ac' 7 ^ $)[States tr < tr ’(s) D ac'/ac') 


A consequence of the definition of RA1 is that it also enforces AO. 


Theorem T.5.2.1 


RA1 o AO(-P) = RA1(P) 
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Although AO only requires ac! not to be empty in the postcondition of an angelic 
design, RAl requires this under all circumstances. Proof of this and other results 
not explicitly included in the body of this document can be found in Appendix [Gj 
The function RAl distributes through both conjunction and disjunction as es¬ 
tablished by the following Theorems T.5.2.2|and T.5.2.3 


Theorem T.5.2.2 RA1(P A Q) — RA1(P) A RA1(Q) 


Theorem T.5.2.3 RA1(P V Q) = RA1(P) V RA1(Q) 


Since RAl is also idempotent, consequently both conjunction and disjunction are 
also closed under RAl. 

Similarly to the theory of angelic designs, in this model, the definition of se¬ 


quential composition is also based on ] A . In Theorem T.5.2.4 we establish that this 
operator is closed under RAl. 


Theorem T.5.2.4 Provided P and Q are RAl -healthy and Q is PHNIEL-healthy , 


RA1(P Q) = P Q 


For every healthiness condition of the theory, the upward-closure enforced by PBMH 
must be maintained. Theorem IT.5.2.51 establishes this for RAl. 


Theorem T.5.2.5 


PBMH o RAl o PBMH(P) 


RAl o PBMH(P) 


However, PBMH and RAl do not commute in general. We consider the follow¬ 
ing Counter-example [4] where the healthiness conditions are applied to the relation 
ac' = 0, which is not PBMH-hcalthy. 


Counter-example 4 


RAl o PBMH(ac' = 0) 

= RAl(3 ac 0 • ac 0 = 0 A ac 0 C ac') 
= RAl (true) 

= States tr < tr '(s) fl ac’ ^ 0 


{Definition of PBMH (Lemma L.4.2.1)} 
{One-point rule and property of sets} 
{Lemma IL.G.l.lIT } 


PBMH o RAl (ah = 0) 

= PBMH((ah = 0 A ac ^ 0)[, States 
= PBMH (false) 


tr<tr\s) G ac j ac ]) 


{Definition of RAl} 
{Predicate calculus} 


{Definition of PBMH (Lemma L.4.2.1)} 
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= false 

In the first case, the application of PBMH yields true. The result of the functional 
composition is then RAl (true). On the other hand, in the second case, there is a 
contradiction arising from the application of RAl, which leaves us with the result 
false. 


5.2.2 RA2 

The next healthiness condition of interest is RA2, which requires a process to be 
insensitive to the initial trace of events s.tr. It is the counterpart to R2 of the 
original theory of reactive processes, and is also defined using substitution. 


Definition 110 


RA2(P) = P 


s®{tr i->- ()}, ^ z 


z G ac' A s.tr < z.tr 
• z © {tr i—>■ z.tr — s.tr} 


It defines the component tr in the initial state s to be the empty sequence, and 
consequently the set of final states ac' is restricted by considering those states z 
whose traces are a suffix of s.tr, and furthermore, defining their trace to be the 
difference with respect to the initial trace s.tr. 

Since substitution distributes through conjunction and disjunction, so does the 
function RA2 as established by the following Theorems T.5.2.6|and T.5.2.7 


Theorem T.5.2.6 RA2(P A Q) = RA2(P) A RA2(Q) 


Theorem T.5.2.7 RA2(P V Q) = RA2(T) V RA2(<£) 


As RA2 is idempotent, both conjunction and disjunction are closed under RA2. 
Similarly to the case for RAl, the operator ] A is also closed under RA2. 


Theorem T.5.2.8 Provided P and Q are ~R,A2 -healthy, 


RA2 (P Q) — P Q 


A consequence of the definition of RA2 is that applying it to the predicate that 
requires ac' not to be empty is equivalent to applying RA2 to the relation true. 


Theorem T.5.2.9 


RA2 (ac' t -(/}) = RAl (true) 
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Proof. 


RA2 {ad ± 0) 

= ( ac' 7 ^ 0)[s © {tr i-g (), {z \ z G ad 

= {z | z G ad A s.tr < z.tr • z © {tr 
= 3y • y e {z \ z e ad A s.tr < z.tr 
= 3 y, z • z G ad A s.tr < z.tr A y = 
= 3 z • z G ad A s.tr < z.tr 
= RA1 (true) 


{Definition of RA2} 

A s.tr < z.tr • z © {tr i-> z.tr — s.tr}}/s, ad] 

{Substitution} 

i—> z.tr — s.tr}} d 0 {Property of sets} 

• z ® {tr ^ z.tr — s.tr}} {Property of sets} 
z © {tr i— > z.tr — s.tr} {One-point rule} 

{Lemma IL.G.l.lOl } 


C3: 


This result sheds light on the relationship between RA2 and RA1, as in fact, these 


functions are commutative as established by Theorem T.5.2.10 


Theorem T.5.2.10 RA2 o RA1(P) = RA1 o RA2(P) 


Finally, RA2 preserves the upward closure of PBMH. 


Theorem T.5.2.11 PBMH o RA2 o PBMH(P) = RA2 o PBMH(P) 


These results conclude our discussion of RA2 and its most important properties. 


5.2.3 RA3 

Similarly to the theory of reactive processes, we must ensure that a process cannot 
be started before the previous process has finished interacting with the environment. 
The counterpart to R3 in this new theory is RA3. Before exploring its definition, 
we introduce the identity H RAD of our theory. 

Definition 111 Hrad = (RAl(-i ok) V (off A s G ad)) 

Similarly to the reactive identity Urea, the behaviour for an unstable state -> ok is 
given by RA1, that is, there must be at least one final state in ad whose trace is a 
suffix of the initial trace s.tr. Otherwise, the process is stable, ok' is true, and the 
initial state s is in the set of final states ad. 

Having defined the identity, we introduce the definition of RA3 below. 

Definition 112 RA3(P) A ITrad <1 s.wait > P 
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This definition is similar to that of the original theory, except that we use IT rad as 
the identity and use s.wait instead of wait as a condition since in our theory wait 
is a component of the initial state s. Using Leibniz’s substitution, it is possible to 


establish the following Lemma L.5.2.1, where P w = P[s© {wait t —y w{/s\. 


Lemma L.5.2.1 RA3(P) = RA3 (Pf) 


This result is in correspondence with a similar property of R3 in the original theory 
of ICSPI that is essential in the characterisation of ICSPI processes via reactive designs. 

Similarly to the previous healthiness conditions, RA3 also distributes through 
both conjunction and disjunction as established by Theorems T.5.2.12 and T.5.2.13[ 


Theorem T.5.2.12 RA3(P A Q) = RA3(P) A RA3(<2) 


Theorem T.5.2.13 RA3(P V Q) = RA3(P) V RA3(<2) 


Consequently, these operators are closed under RA3. 

The operator ] A is also closed under RA3 provided that the second operand is 


also RAl-healthy as established by Theorem T.5.2.14 


Theorem T.5.2.14 Provided P and Q are RA3 -healthy and Q is RA1 -healthy, 


RA3(P ; A Q) = P ; A Q 


The proviso is similar to that observed for the closure of ; under R3 in the original 
theory of reactive processes [M]. The extra restriction on Q , which needs to be 
RAl-healthy, is not a problem since the theory of interest is characterised by the 
functional composition of all healthiness conditions. 

Furthermore, as required, the function RA3 also preserves the upward-closure. 


Theorem T.5.2.15 PBMH o RA3 o PBMH(P) = RA3 o PBMH(P) 


The identity Hrad is a fixed point of every healthiness condition, including RA1, 


RA2, RA3 and PBMH as established by Theorems T.G.3.1 to T.G.3.4 Finally, 


RA3 commutes with both RA1 and RA2 as established by Theorems T.5.2.16 
and IT. 5. 2.171 


Theorem T.5.2.16 


RA3 o RA1(P) 


RA3 o RA1(P) 


Theorem T.5.2.17 


RA2 o RA3(P) 


RA3 o RA2(P) 
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This concludes our discussion of the most important properties of RA3. 


5.2.4 RA 

The healthiness conditions that we have considered so far in this chapter are coun¬ 
terparts to those of the original model of reactive processes. Hence this is a theory 
that is similarly characterised by the functional composition of the healthiness con¬ 
ditions RA1, RA2, RA3, besides PBMH. In order to provide a parallel with the 
original theory of reactive processes, we define part of this composition as RA. 


Definition 113 RA(P) A RA1 o RA2 o RA3(P) 


The order of the functional composition is not important since these functions com¬ 
mute, except for PBMH that does not necessarily commute with every function. 
So when considering the counterpart theory to reactive processes, but with angelic 
nondeterminism, PBMH needs to be applied before RA. 

As previously stated, every healthiness condition considered in this chapter is 
idempotent and monotonic. Theorems T.G.1.1 , T.G.2.l| and T.G.3.5| in Appendix |G] 
establish that RA1, RA2 and RA3 are idempotent. Similarly monotonicity is 
established for these functions by Theorems T.G.1.2, T.G.2.2 and T.G.3.6 As a 


consequence the functional composition RA is also idempotent and monotonic. 

In addition, since all of the RA functions distribute through conjunction and 
disjunction so does the functional composition RA. Finally, RA maintains the 
upward-closure enforced by PBMH since all of the RA healthiness conditions do 
so as well. This concludes our discussion of the most important properties of RA. 


5.2.5 CSP Processes with Angelic Nondeterminism 

In the original theory of lCSPl another two healthiness conditions, CSP1 and CSP2, 
are required, in addition to R, to characterise IGSPI processes. In order to consider a 
theory of [CSP] with angelic nondeterminism we follow a similar approach by defining 
a counterpart to these functions in what follows. 

CSPA1 

The first healthiness condition of interest is CSPA1, which is the counterpart to 
CSP1 in the new theory. Its definition is presented below. 

Definition 114 CSPAl(P) 7FV RAl(-> ok) 
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A ICSPI process with angelic nondeterminism P is required to observe RA1 when 
in an unstable state. For a RA-healthy process, this property is already enforced 
by RAl under all circumstances. Similarly to the original theory of ICSPI pH] the 


following Theorem |T. 5. 2.18] establishes that this behaviour can also be described as 
the functional composition of RAl after HI. 


Theorem T.5.2.18 CSPA1 o RA1(P) = RAl o H1(P) 


Proof. 

CSPA1 o RA1(P) 

= RA1(P) V RAl(-< ok) 
= RAl (P V ok) 

= RAl(ofc =>- P ) 

= RAl o H1(P) 


{Definition of CSPA1} 
{Theorem IT. 5.2. 31} 
{Predicate calculus} 
{Definition of HI} 


□ 


The function CSPA1 is idempotent and monotonic. Furthermore, it preserves the 
upward-closure as required by PBMH. 


Theorem T.5.2.19 


Provided P is PBMH -healthy, 


PBMH o CSPAl(P) = CSPAl(P) 


This concludes the discussion of the properties of CSPA1. 


CSPA2 


The last healthiness condition of interest is the counterpart to CSP2. It is defined 
as H2 with the extended alphabet that includes s and ac'. 

Definition 115 CSPA2(P) A H2(P) 


This healthiness condition satisfies the same properties as H2, including, for ex¬ 


ample, those established by Theorems T.4.2.10 and T.E.6.1 It can alternatively be 
defined using the 7-split of Woodcock and Cavalcanti 
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5.2.6 Reactive Angelic Designs (RAD) 

The theory of ICSPI processes in the new model is defined by RAD, which is the 
functional composition of all the healthiness conditions of interest. 

Definition 116 RAD(P) = RA o CSPA1 o CSPA2 o PBMH(P) 


Since PBMH and RA1 do not commute, PBMH is applied first. The fixed points 
of RAD are the reactive angelic designs. Every such process P can be expressed 
as RA o A(-< Pj b Pj) as established by the following Theorem 
P° = P[o, s © {wait (->• w}/ok/, s] 


T.5.2.20 


where 


Theorem 


T.5.2.20 


RAD(P) = RA o A( 


p> h pj) 


Proof. 


RAD (P) 

= RA3 o RA2 o RAl o CSPA1 o CSPA2 o PBMH(P) 
= RA3 o RA2 o RAl o HI o CSPA2 o PBMH(P) 

= RA3 o RA2 o RAl o HI o H2 o PBMH(P) 

= RA3 o RA2 o RAl o AO o HI o H2 o PBMH(P) 


(Definition of RAD} 
(Theorem IT. G.5. 31} 
(CSPA2 is H2} 
(Theorem IT. 5.2. 11} 


(Theorems IT. E.6. II and IT. E.6. 21} 


= RA3 o RA2 o RAl o AO o PBMH o HI o H2(P) (Definition of design} 
= RA3 o RA2 o RAl o AO o PBMH(-> P f b P l ) (Definition of A} 

= RA3 o RA2 o RAl o A(-> P f b P l ) 


(Theorems T.5.2.10 T.5.2.17 and T.5.2.16} 


= RAl o RA2 o RA3 o A(-i P^ b P l ) (Lemmas IL.C. 1 . 5l and lL?5 .2.11} 

= RAl o RA2 o RA3 o A((-< P* b P 4 )/) {Substitution} 

= RAl o RA2 o RA3 o A(-> Pj b Pj) (Definition of RA} 

= RA o A(-. P f f b Pj) 


□ 

That is, such processes can be specified as the image of an A-healthy design through 
the function RA. This is a result similar to that obtained for ICSPI processes as the 
image of designs through R |3S, 33]- Since both RA and A are monotonic and 
idempotent, and the theory of designs is a complete lattice [SjJj, so is the theory of 
reactive angelic designs. 
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RAD CSP 



(a) Theories and links (b) Predicates and links 

Figure 5.1: Relationship between theories 


Since PBMH is just Al, and RA1 enforces AO, a fixed point P of RAD can 


alternatively be expressed as shown in the following Lemma L.5.2.2 


Lemma 


L.5.2.2 


RAD(P) = RA(-< PBMH(P){ h PBMH(P)' 


That is, an angelic design, with PBMH applied to the negation of the precondition 
and postcondition. Furthermore, it is possible to infer that if P is a reactive angelic 
design, then it is also PBMH-healthy. 


Theorem T.5.2.21 


Provided P is RAD -healthy, PBMH(P) 


P. 


This concludes our discussion of the healthiness condition of the theory of reactive 
angelic designs, RAD, and its respective properties. 


5.3 Relationship with CSP 


The theory of reactive angelic designs can be related to the original IIJTPI theory 
of ICSPI through the pair of linking functions ac2p and p2ac previously introduced 


in Section 4.6 and reproduced below. 


ac2p(P) = PBMH(P)[S'tatejj(ma_ 0 fc)/s] ] A x : outa_M • dash{s).x = x 
p2ac(P) = 3 z • P[s, z/ina- 0 k, outa.- 0 k'] A undash(z) G ac 


We employ ac2p by considering the set of variables ina to be {tr, ref , wait}, and a 
corresponding set of variables outa with dashed counterparts; State , therefore, has 
components ranging over ina. Similarly, for the mapping in the opposite direction, 
from reactive angelic designs to ICSPI processes we employ p2ac with the same sets 
of variables ina and outa. 
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The relationship between the models has previously been illustrated in the con¬ 


text of all theories in Figure 1.1 Here we focus our attention on the relationship 


with ICSPl In Figure 5.1(a) each theory is labelled according to its healthiness con¬ 
ditions. The subset of reactive angelic designs that corresponds exactly to ICSPI 
processes is characterised by A2, the healthiness condition which we previously dis¬ 
cussed in Section 4.2.4| that characterises predicates with no angelic nondeterminism. 

In Figure 5.1(b) the relationship between the predicates of each theory is il¬ 
lustrated. For a predicate P of the theory of reactive angelic designs, the func¬ 
tional composition p2ac o ac2p(P) yields a stronger predicate since any angelic 
nondeterminism in P is virtually collapsed into a single final state, while for a pre¬ 
dicate Q of the ICSPI theory, the composition ac2p o p2ac(Q ) yields exactly the same 
predicate Q. Thus a Galois connection exists between the theories. 


5.3.1 From Reactive Angelic Designs to CSP ( ac2p) 


As already stated, the mapping from reactive angelic designs to ICSPI processes 
achieved through ac2p defines a Galois connection. Application of this function 
to a predicate P that is both RA-healthy and PBMH-hcalthy yields a healthy 


counterpart in the original theory as established by the following Theorem T.5.3.1 


Theorem T.5.3.1 Provided P is PBMH -healthy, ac2p o RA(P) = R o ac2p{P) 


If we consider P to be a reactive angelic design, then we can show that the application 


of ac2p yields a reactive design as established by Theorem T.5.3.2 


Theorem 


T.5.3.2 


ac2p o RA o A(-< Pj P Pj) = R(-> ac2p(Pj) h ac2p(Pj)) 


Proof. 


ac2p o RA o A(-< Pj P Pj) 

= ac2p o RA o PBMH(-i P f f h Pj) 
= R o ac2p o PBMH(-i P f f P Pj) 

= R o ac2p(-> Pj P Pj) 

= R(-< ac2p(Pj) P ac2p(Pj)) 


{Theorem IT. G. 1.61} 
{Theorem IT. 5.3. 11} 
{Lemma IL.C.5.361 } 
{Lemma IL.G.5.281 } 


□ 


This is a pleasing result that supports the reuse of results across the theories. We 


consider the following Example 29, where ac2p is applied to the angelic choice 
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between a prefixing on the event a followed by deadlock, and on the event b followed 
by deadlock. The operators of the theory of reactive angelic designs have subscript 
rad in order to distinguish them from those of the original theory of ICSPI which 
have subscript r. 

Example 29 


ac2p(a —t-rad StopnAD Urad b — >-rad StopnAT>) 


a 7-r, Stopn U R b -» R Stop R 


Proof. Lemma L.G.8.2 


□ 


The result is the least upper bound of the corresponding ICSPI process, where Ur 
is also defined using conjunction. This is a process that cannot be expressed using 
the standard operators of ICSPI The conjunction of non-divergent ICSPl processes re¬ 
quires the conjunction of their respective postconditions, and thus an agreement. In 
this case, both processes can only agree on the trace of events remaining unchanged, 
and not refusing events a and b, while waiting. 


5.3.2 From CSP to Reactive Angelic Designs (p2ac) 

The mapping in the opposite direction, from ICSPI processes to reactive angelic 


designs, is achieved through the function p2ac. As discussed in Section |4.6| the 
result of applying p2ac is upward-closed as established by Lemma |L.4.6.1| The 


application of p2ac to a process P that is R-hcalthy, can be described by the func¬ 
tional composition of RA after p2ac to the original process P, as established by the 


following Theorem T.5.3.3 


Theorem T.5.3.3 p2 ac o R(P) = RA o p2ac{P) 


The result of applying p2ac to a reactive design is established in Theorem T.5.3.4| 
p2ac can be directly applied to the pre and postconditions separately, followed by 

A and RA. 


Theorem 


T.5.3.4 


p2ac o R(-i Pj b Pj) = RA o A(-i p2ac(Pj) b p2ac{Pj)) 


Proof. 


p2ac o R(-i Pj b Pj) 


{Theorem IT.5.3.31 and definition of RA} 
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= RA3 o RA2 o RA1 o p2ac(~ -> Pj b Pj) {Definition of RAl} 

= RA3 o RA2 o RAl(p2ac(-i Pj b Pj) A ac' ^ 0) {Theorem IT.4.6.41 } 

= RA3 o RA2 o RAl ((-i p2ac(Pj) b p2ac(Pj)) A ac' ^ 0) {RAl and RA} 
= RA(-< p2ac(Pj) b p2ac(Pj)) {Lemma IL.4.6.11} 

= RA(-< PBMH o p2ac(Pj) b PBMH o p2ac(Pj)) {Definition of Al} 

= RA o Al(-< p2ac(Pj) b p2ac(P t )) {Definition of RA and Theorem IT. 5.2. 11} 
= RA o AO o Al(-< p2ac(Pj) b p2ac(P t )) {Definition of A} 

= RA o A(-< p2ac(Pj) b p2ac(P t )) 


□ 

This result enables ICSPI processes to be easily mapped into the theory of reactive 
angelic designs by considering the mapping of the pre and postconditions of ICSPI 
processes directly. 

We consider the following example, where the terminating process Skip r is 
mapped through p2ac into the theory of reactive angelic designs. 

Example 30 

p2ac(Skipn) = RA o A (true b 3 y • -> y.wait A y.tr = s.tr A y G ac') 


Proof. Theorem T.5.4.19 


D 


The reactive angelic design also has true as its precondition, while the postcondition 
asserts that there is a final state y in the set of angelic choices ac' where the trace 
of events s.tr is kept unchanged and the value of the component wait is false, that 
is, the process has finished interacting with the environment. 


5.3.3 Galois Connection and Isomorphism 


As already mentioned, the pair of linking functions we have considered establish a 
Galois connection between the theory of ICSPI and that of reactive angelic designs. 
When considering the mapping from the original theory of reactive processes, fol¬ 
lowed by the mapping in the opposite direction, we obtain an exact correspondence 


as shown in the following Theorem T.5.3.5 


Theorem T.5.3.5 ac2p o p2ac{P) = P 
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Proof. 

ac2p o p2ac(P) {Definition of ac2p} 

= (PBMH o p2ac(yP))[Stateij(yinoi_ok) /s] ] A /\x : outd_ 0 k> • dash{s).x = x 

{Lemma IL.4.6.11} 

= p2ac(P)[Statejj(ina- 0 k)/s\ ] A x : outa- 0 k 1 • dash(s).x = x 

{Definition of p2ac} 

l (3 z • P[s, 7,/ina.- 0 ki outa- 0 k>] A undash(z) G ac')[Statejj (ina- 0 k)/s] \ 

— iA 

\ f\x : outa-ck' • dash(s).x = x ) 

{Substitution} 

/ (3 z • P[s,z/ma_ 0 fc, outa- 0 k'}[Stateji(ina- 0 k) / s] A undash(z) E ad) \ 

iA 

\ f\x : outd-ok' • dash(s).x = x ) 

{Lemma IL.D. 1.1(3 } 

= (3 z • P[z/outd- 0 k'} A undash(z) G ad) ] A x : outd- 0 k' • dash(s).x = x 

{Definition of j A and substitution} 

= 3 z • P[z/outd- 0 k'] A undash(z) G {s | f\x : outd- 0 k> • dash(s).x = x} 

{Property of sets} 

= 3 z • P[z/outd-ok'] A yAy x : outd- Q k' • dash(undash(z)).x = x 

{Property of dash and undash} 
= 3 z • P[z/outd- 0 k'} A x : outd- 0 k' • z.x = x {Lemma IL.D. 1.91} 

= P[z/outd- 0 k'][Stateji{outd- 0 k') / z] { Lemma IL. D. 1.101 } 

= P 


□ 


This results establishes that our theory can accommodate the existing lCSPI processes 
appropriately, that is, those without angelic nondeterminism. 

When considering the mapping in the opposite direction we obtain the following 
result in Lemma IL. 5.3. 11 


Lemma L.5.3.1 p2ac o ac2p(P) 


3 ac 0 , y • P[ac 0 /ad] A ac 0 C {y} A y E ad 


If the set of hnal states aco in P has more than one state, then the result of 
p2ac o ac2p(P) is false, otherwise, aco is either a singleton, in which case ad is 
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any set containing its element, or empty, in which case ad is arbitrary. Most im¬ 
portantly, the f un ctional composition only preserves predicates whose set of angelic 
choices is either empty or a singleton, otherwise the result is false. 


We consider the following Example [3TJ where Lemma L.5.3.1 is applied to the 
angelic choice between events a or b followed by deadlock. 


Example 31 


p2ac o ac2p(a -a RA d Stop nAD U b -a RA d Stop RAG ) 


RA o A (true h 3 y • y G ad A y.wait A y.tr = s.tr A a ^ y.ref A b ^ y.ref ) 


Proof. Lemmas L.G.8.2 and L.G.8.3 


□ 


This process corresponds to the application of p2ac to the result obtained in the 
previous Example [29] In this case, the process is always waiting for the environment 
and keeps the trace of events unchanged, however it requires that neither event a 
nor b are refused. This is a process whose behaviour cannot be described using the 
standard operators of ICSP1 


If we consider the result of Lemma L.5.3.1 in the context of the predicates of 
our theory, that is, those which are PBMH-healthy, then we obtain an inequality 


as shown in the following Theorem T.5.3.6 


Theorem T.5.3.6 Provided P is PBMH -healthy, p2ac o ac2p{P) □ P. 
Proof. 


{Lemma IL.5.3.11} 
{Property of sets} 
{Predicate calculus} 


p2ac o ac2p{P) 

= 3 ac 0 , y • P[ac 0 /ad] A ac 0 C {y} A y & ad 
= 3 ac 0 , y • P[ac 0 /ad] A ac 0 C {y} A {y} C ad 
=>■ 3 aco • P[aco/ad] A aco C ad {Definition of PBMH (Lemma L.4.2.1)} 

= PBMH(P) {Assumption: P is PBMH-healthy} 

= P 


□ 


This theorem, together with Theorem |T.5.3.5[ establishes the existence of a Galois 
connection between the theories. In particular, these results also hold between 
reactive processes, characterised by R, and the reactive angelic designs, character- 
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ised by RAD, that is, in general, the Galois connection is not restricted to ICSPI 
processes. This is because the proviso of Theorem T.5.3.5 only requires P to be 
PBMH-healthy. 


The result of Theorem |T.5.3.6 can be strengthened into an equality by consid¬ 
ering the subset of reactive angelic designs that are A2-healthy. These are reactive 
processes that do not exhibit angelic nondeterminism. If we consider the application 
of A2 to the process a — )-rad 57o.Prad Urad b — >rad Stopn ad, we obtain exactly 


the same result as in Example 31 In other words, for reactive angelic designs, A2 
characterises the same fixed points as p2ac o ac2p(P). We observe, however, that in 
general, A2 permits an empty set of final states, whereas in the theory of reactive 
angelic designs, both RA1 and the mapping p2ac require the set of final states not 
to be empty. For example, in the theory of angelic designs the bottom _!_x> of the 


lattice, which is true, is a fixed point of A2 (Lemma L.C.1.13). 


Finally, Theorem T.5.3.7 establishes that the result p2ac o ac2p(P) for a reactive 


angelic design P that is A2-healthy yields exactly the same reactive angelic design 
P. 


Theorem 


T.5.3.7 


Provided Pj and Pj are A2 -healthy, 


p2ac o ac2p o RA o A(-> Pj h Pj) = RA o A(-> Pj b Pj) 


In summary, when we consider the theory of reactive angelic designs that are A2- 
healthy, then we find that there is a bijection with the original theory of reactive 
designs. Thus this subset is isomorphic to the theory of ICSPI 


5.4 Operators 

Having discussed the healthiness conditions of our theory, and the relationship with 
the original model of ICSPI in this section we present the definition of some important 
operators of ICSPI in the new model. For each of the operators we show how they 
relate to their original ICSPI counterparts. 

5.4.1 Angelic Choice 

The first operator of interest is angelic choice. Similarly to the theory of angelic 
designs, it is also defined as the least upper bound of the lattice, which is conjunction. 

Definition 117 P l_l RAD Q = P A Q 
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For reactive angelic designs P and Q, this result can be restated as shown in the 
following Theorem T.5.4.1| 


Theorem T.5.4.1 Provided P and Q are reactive angelic designs, 


P U Q = RA o A(—i Pj V “i Qj h (-11 Pj =>■ Pj) A (— i Qj =$■ Qj)) 


The precondition of the resulting process is the disjunction of the preconditions of P 
and Q, while the postcondition is the conjunction of two implications. In both cases, 
if either the precondition of P or Q holds, then the corresponding postcondition is 
established. This is a result that is similar to that observed for the least upper 
bound of designs mm- 

The least upper bound of this theory can be related with that of ICSPI as follows. 
If we consider two ICSPl processes P and Q, apply p2ac followed by the least upper 
bound Urad and then ac2p, then we obtain the same result defined by the original 
least upper bound operator Ur of ICSPI as shown in Theorem T.5.4.2 


Theorem T.5.4.2 ac2p(p2ac(P) Urad p2ac(Q )) = P Ur Q 


Proof. 


ac2p(p2ac(P) U RA d p2ac(Q )) 

= ac2p(p2ac(P) A p2ac(Q )) 

= ac2p o p2ac(P) A ac2p o p2ac(Q ) 
= P A Q 
= PU K Q 


{Definition of Urad} 
{Theorem IT. C.5. 21} 
{Theorem IT. 5.3. 51} 
{Definition of Ur} 


□ 


This is expected since we can express every existing ICSPl process in the new theory. 
The result in the opposite direction, however, is an inequality as shown in the 


following Theorem T.5.4.3 


Theorem T.5.4.3 Provided that P and Q are reactive angelic designs, 


p2ac(ac2p(P) U R ac2p(Q )) □ P U RA d Q 


Proof. 


p2ac(ac2p(P) U R ac2p(Q)) 


{Definition of Ur} 
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= p2ac{ac2p(P) A ac2p(Q )) {Theorem IT. 4.6. 21} 

□ p2ac o ac2p(P) A p2ac o ac2p(Q) {Theorem IT. G.7. 131 } 

□ PBMH(P) A PBMH(Q) {P and Q are RAD-healthy and Theorem T.5.2.21|[ 

= P A Q {Definition of Urad} 

= P Urad Q 


□ 


That is, there is a strengthening of the resulting predicate. This is expected, as 
in general the application of ac2p collapses the angelic nondeterminism, and p2ac 
cannot undo such effect completely. 

This concludes onr discussion of the basic properties of angelic choice. In the 
following sections, and as we present the definition of the ICSPl operators, we revisit 
angelic choice and explore its role when applied together with other operators. 


5.4.2 Demonic Choice 


Similarly to the definition of internal choice in ICSPl in our theory, this operator is 
also defined using the greatest lower bound of the lattice, disjunction. 


Definition 118 P IFrad Q = P V Q 


For any two reactive angelic designs P and Q, their demonic choice can be described 


as a reactive angelic design as stated as in Theorem T.5.4.4 


Theorem T.5.4.4 Provided P and Q are reactive angelic processes, 


P FIrad Q = RA o A(-< Pj A -i Qj h Pj V Qj) 


That is, the resulting precondition is the conjunction of the respective preconditions 
of P and Q, while the postcondition is the disjunction of the respective postcondi¬ 
tions of P and Q. Intuitively, in a demonic choice both preconditions need to be 
satisfied, while either the postcondition of P or Q may be observed. 


The greatest lower bound of both theories can be related through the pair of 
linking functions p2ac and ac2p. Since p2ac distributes through disjunction we can 


establish the following general result in Theorem T.5.4.5 
















5.4. OPERATORS 


159 


Theorem IT.5.4.51 

p2ac(ac2p(P) fl R ac2p(Q )) = p2ac o ac2p(P ) fl RAD p2ac o ac2p(Q ) 


Proof. 

p2ac(ac2p(P) n R ac2p(<5)) 

= p2ac(ac2p(P) V ac2p(Q )) 

= p2ac o ac2p(P ) V p2ac o ac2p(Q ) 

= p2ac o ac2p(P) fl RA D p2ac o ac2p(Q ) 


{Definition of n} 
{Theorem IT. 4.6. 11} 
{Definition of fl} 


□ 


If we consider two reactive angelic designs P and <5 and apply ac2p, followed by the 
greatest lower bound n R and then p2ac, then this result can be directly obtained 
by applying p2ac o ac2p followed by the greatest lower bound n RAD . When P and 


Q are A2-healthy (Theorem T.5.3.7) we obtain the result shown in Lemma L.5.4.1 


Lemma L.5.4.1 Provided P and Q are reactive angelic designs and A2 -healthy, 


p2ac(ac2p(P) fl R ac2p(Q )) = P fl RAD Q 


That is, for reactive angelic designs with no angelic nondeterminism, the demonic 
choice of both theories is in correspondence. Similarly, since ac2p also distributes 
through disjunction, we can establish the following result in the opposite direction, 
as shown in Theorem IT.5.4.61 


Theorem T.5.4.6 


ac2p(p2ac(P) n RAD p2ac(Q )) 


Pn R Q 


That is, the greatest lower bound of both theories is in correspondence. Finally, since 
the least upper bound is conjunction, and the greatest lower bound is disjunction, 
angelic and demonic choice distribute over each other. 


5.4.3 Chaos 

The following operator of interest is ChaosnAn, which is the bottom of the lattice 
of reactive angelic designs. 

Definition 119 ChaosnA d = RA o A (false h ad 0) 
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Its precondition is false while the postcondition requires that ac! is not empty. The 
postcondition can alternatively be specihed as true since both A and RA1 ensure 
that the design is AO-healthy. This process is a zero for demonic choice as established 


by Theorem T.5.4.7 


Theorem T.5.4.7 Provided P is a reactive angelic design, 


Chaos-RAO ILr^d P — Chaos 


RAD 


Similarly to the original theory, if a process may diverge immediately in a demonic 
choice, then this is the only possibility. The dual of this property is the unit law for 


angelic choice as shown in the following Theorem T.5.4.8 


Theorem T.5.4.8 Provided P is a reactive angelic design, 


Chaos-RAD LIrad P — P 


Proof. 

Chaos-RAD LIrad P {Assumption: P is RAD-healthy} 

Chaos U RA o A(-> Pj b Pj) {Definition of Chaos} 

= RA o A (false b ac ± 0) U RA o A (-. P f f b Pf) {Theorem IT. 5.4. Il l 

= RA o A (false V -i Pj b ( false =>■ ac' ^ 0) A (-< Pf => Pf)) {Predicate calculus} 
= RA o A(-i Pj b (-i Pj => Pj)) {Definition of design and predicate calculus} 
= RA o A(-< Pf b Pj) {Assumption: P is RAD-healthy} 

= P 


□ 


When the angel is given the choice between diverging immediately or behaving as P, 
then the choice is resolved in favour of P. This is one of the fundamental properties 
underlying an angelic choice, in that, if possible, the angel can avoid divergence. 


The bottom of the lattice is also in direct correspondence with that of the original 
theory of ICSPI as Theorems |T.5.4.9| and |T.5.4.10| establish. 


Theorem T.5.4.9 


Theorem T.5.4.10 


ac2p(ChaosnAr>) = Chaos-R 
p2ac(Chaosn) = ChaosRAO 
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This is a reassuring result in that the bottom of the lattice of ICSPI also maps into 
the bottom of the lattice of reactive angelic designs and vice versa. 


5.4.4 Choice 

The next operator we introduce in this section corresponds to Chaos in Roscoe’s 
original presentation [f7] of lCSPl where it is the most nondeterministic process that 
does not diverge. In our model, this behaviour is given by ChoiceRAD- 

Definition 120 ChoiceRAD = RA o A (true b ac ' ^ 0) 


The precondition is true while the postcondition allows any non-empty set of final 
states ac'. Similarly to the definition of Chao Sr ad , and every other reactive angelic 
design, we observe that the complete behaviour of a process is constrained by RA 
and thus the final states in ac' must observe the properties enforced by RA, notably 
that the traces are suffixes of the initial trace s.tr. 

If we consider the design Choice = (true P true), then we can obtain a similar 
process in the theory of ICSPI bv applying R as ChoiceR = R (true b true). The 


application of p2ac to this process yields ChoiceRAD as shown in Theorem T.5.4.11 


Theorem T.5.4.11 p2ac(ChoiceR) = ChoiceRAD 


Likewise, Theorem |T. 5.4.12] shows that applying ac2p to Choice rad yields exactly 
the process ChoiceR of the ICSPI model. 


Theorem T.5.4.12 ac2p(ChoiceRAD) — ChoiceR 


As is discussed later in Section |5.5| the process ChoiceRAD plays an important role 
in the characterisation of the subset of non-divergent processes. The intuition is 
that for non-divergent processes, the addition of more choices does not change those 
that are actually available for angelic choice, which are those in the distributed 
intersection over all permitted values of ac' . Consider the general result of the least 


upper bound and ChoiceRAD in Theorem T.5.4.13 


Theorem T.5.4.13 Provided P is RAD -healthy, 


Choice rad Urad P = RA o A (true b Pj 


The precondition is true, while the postcondition Pj is that of P. In other words, if 
P could diverge, this is no longer possible in an angelic choice with Choice.R A D ■ 
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Finally, when considering the greatest lower bound IIrad and Choice^, ad we 
obtain the following result. 


Theorem T.5.4.14 Provided P is HAD-healthy, 


Choice-RAD FIrad P = RA o A(-i P f f b ac' ± 0) 


Proof. 

Choice rad IFrad P {Dehnition of Choice^AD} 

= RA o A (true b ac' 0) IFrad P {Assumption: P is RAD-healthy} 

= RA o A (true b ac' ^ 0) IFrad RA o A(-> Pj b Pj) {Theorem IT. 5.4.41 } 

= RA o A (true A -i Pj b ac ^ 0 V Pj) {Predicate calculus} 

= RA o A(-i Pj b ac' ^ 0 V Pj) {Dehnition of A, AO and predicate calculus} 
= RA o A(-< Pj b ac' ± 0) 


□ 

The precondition of P is maintained, while the postcondition requires a non-empty 
set of final states ac'. In other words, if there was a possibility to diverge in P, 
this is still the case. However, if the precondition -> Pj is satisfied then the process 
behaves nondeterministically like Choice rad- 

5.4.5 Stop 

Similarly to ICSPl the notion of deadlock is captured by Stop RA i)- 

Definition 121 Stop RA D = RA o A (true b ( ,(y-tr = s.tr A y.wait )) 

The precondition is true while the postcondition requires the process to always 
be waiting for the environment and keep the trace of events unchanged. In this 
definition and others to follow, we introduce the following auxiliary predicate. 

Definition 122 (ef ac ,(P) = 3 y • y g ac' A P[{y}/ac'] 

This definition requires that P admits a state y as a single option for angelic choice. 
In general, this predicate allows the definition of ICSPl operators to be lifted into 
the theory of reactive angelic designs. It can be further extrapolated to other ICSPl 
operators, such as external choice. 
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An angelic choice between a process P and StopR ad is, in general, not resolved 
in favour of either process as shown in Theorem |T.5.4.15 


Theorem T.5.4.15 


Provided P is RAD -healthy, 


StopRAD Urad P 


RA o A (true b (-1 Pj =>- Pf) A (e ) v ac ,(y.tr = s.tr A y.wait )) 


Proof. 


Stop RAD Urad P {Definition of Stop nA o} 

= RA o A (true b (^f ac ,(y-tr = s.tr A y.wait )) U RA d P 

{Assumption: P is RAD-healthy} 


/ RA o A (true b (g ) v ac ,(y.tr = s.tr A y.wait )) \ 


— Urad 

\RAo A(-. P f f b Pf) 

= RA o A (true V Pj b (-1 Pj Pf) A (fff ac fy-tr 


{Theorem IT. 5.4. 11} 

s.tr A y.wait )) 

{Predicate calculus} 


= RA o A (true b (-1 Pj =>■ Pj) A (ff) y ac ,(y-tr = s.tr A y.wait )) 


Q 


However, the possibility for divergence is avoided, since the precondition becomes 
true. If -P diverges, then the process behaves as Stop-RAD, otherwise there is an 
angelic choice between P or StopRAD which corresponds to the conjunction of their 
respective postconditions. 


Finally, we can establish that the definition of StopRAR is in correspondence 
with StopR of ICSPI as established by Theorems T.5.4.16 and T.5.4.17| 


Theorem T.5.4.16 p2ac(StopR ) = StopRAR 


Theorem T.5.4.17 ac2p(StopRAR) = StopR 


This is a reassuring result that follows our intuition on using the auxiliary predicate 
(e) y c , to capture the definition of ICSPI operators in our new model. 
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5.4.6 Skip 

The process that always terminates successfully is defined as SkipRAu- 

Definition 123 Skip^AD = RA o A (true b (e)^ c ,(-i y.wait A y.tr = s.tr )) 

Its precondition is true while the postcondition requires that there is a final state 
in ac! such that the trace of events s.tr is unchanged and that it terminates by 
requiring the component wait to be false. 

Similarly to the case with StopR AD , the angelic choice between a process P and 
SkipuAD does not resolve in favour of either as Theorem T.5.4.18 shows. 


Theorem T.5.4.18 Provided P is RAD -healthy, 


Skip- 


RAD LIraD 


P 


RA o A (true b y.wait A y.tr = s.tr)) A (-> Pj =>• P\)) 

However, the possibility for any divergence in P is avoided. If P diverges, then 
the angelic choice behaves as SkipRAD, otherwise the behaviour is given by the 
conjunction of the postconditions of P and SkipRAn • We consider in Example 32 
an angelic choice between terminating and deadlocking. 

Example 32 

StopRAD Urad SkipRAn {Definition of StopR A r> and SkipR A r>} 

f RA o A(true\~ (ef ac ,(y.tr = s.tr A y.wait)) \ 

— Urad 

\ RA o A (true b © y ,{_> y.wait A y.tr = s.tr)) ) 

( true V true 
h 

/ (true =>■ (e)^ , (y.tr = s.tr A y.wait)) ^ 


{Theorem IT. 5.4. 11} 


= RA o A 


\ 


V 


A 




\ (true =>■ (g)^ c ,(-i y.wait A y.tr = s.tr)) ) 

{Predicate calculus} 

= RA o A (true b (e) v ,(y.tr = s.tr A y.wait) A (e) y ,(-> y.wait A y.tr = s.tr)) 


In this case, the choice is not resolved by either process. If we map this example 
into the original theory of ICSP1 then we obtain the top Tr of that lattice, defined 
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by Tr = R (true h false), as Lemma L.5.4.2 establishes. 


Lemma L.5.4.2 ac2p(Stop- RAD U RAD Skip KAD ) = T R 


This is because the result of mapping Stop-R^ U RA d 5'/c?^ R ad through ac2p insists 
on both waiting for an interaction and terminating. Likewise, if we map T R through 
p2ac, the top of the lattice of reactive angelic designs is obtained. Thus, this is an 
instance of the general strengthening indicated by Theorem T.5.4.3| Although the 
miraculous process T R is not part of the standard ICSPI semantics [I7| [T8j it plays 
an important role, for example, in the characterisation of deadline operators in the 
context of timed versions of process calculi P3HT7J. 

Finally, the definition of «S7 c«p R ad can be be related with the original SkipR 
process of ICSPI by applying p2ac and p2ac as established by Theorems |T.5.4.19 
and IT. 5.4.201 


Theorem T.5.4.19 p2ac(SkipR ) = STAprad 


Theorem T.5.4.20 ac2p(Skip - RA - D ) = Skip-R 


In other words, as expected the two processes are in correspondence. 


5.4.7 Sequential Composition 

The definition of sequential composition is exactly ] Vac from the theory of angelic 
designs, which is itself layered upon ] A . When considering reactive angelic designs, 
we obtain the following closure result. 


Theorem T.5.4.21 


Provided P and Q are reactive angelic designs, 


Pr 


T>ac 


Q 


( 


( -i (RAl(Pj) ; A RA1 (true)) 
A 


\ 


RA o A 


\ -i (RAl(Pj) ; A (-i s.wait A RA2 o RA1(C^))) J 


h 


\ 


\ RA1(P)) ; A (s G ac! < s.wait > (RA2 o RAl(-< Q f f => Q)))) J 


This is a result that resembles that for ICSPI apart from the postcondition of the 
design. When s.wait is false, and hence Pj has finished its interaction with the 
environment, the behaviour is given by RA2 o RAl(-> Qj => Qj). In contrast 
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with the result in ICSPI (Section 2.5.4), this is an implication between the pre and 


postcondition of Q, instead of its postcondition. 

As previously discussed in Section 4.5.2[ in the theory of angelic designs, the 
sequential composition operator also has a similar implication in the postcondition 
that acts as a filter by eliminating final states of P that fail to satisfy the precondition 


of Q. For example, we consider the result established in Lemma L.5.4.3 


Lemma L.5.4.3 (Stop RAD U RAD Skip nAr >) 


>Vac 


CViims - R AD — Stopu A D 


In this case there is an angelic choice between deadlocking and terminating, followed 
by divergence. The angel avoids the divergence by choosing to deadlock. The 
precondition of C7 j(20Srad is unsatishable since it is false. Once the preceding 
process of the sequential composition terminates, that is the component wait is 
false , then the composition diverges. However, because the angel can choose the 
non-terminating process Stopn ad, the divergence can be avoided. 

In general, when considering the result of applying the sequential composition 
of ICSPI to two processes P and Q mapped through ac2p, followed by p2ac, a 


strengthening is obtained as established by the following Theorem T.5.4.22 


Theorem T.5.4.22 Provided P and Q are reactive angelic designs, 


p2ac(ac2p(P) ; ac2p(Q )) □ P ; Vac Q 


Proof. 


p2ac(ac2p(P) ; ac2p(Q )) {Theorem IT. G.7. ill } 

= p2ac o ac2p(P) ] Vac p2ac o ac2p(Q) 

{Theorem IT. G. 7.131 and Lemmas IL.C.4.21 and IL.C.4.31} 


3 PBMHIP) ; Pao PBMH(«) 


{Assumption: P and Q are RAD-healthy and Theorem T.5.2.21 \ 


= P 


')'Dac 


Q 


□ 


We consider, for example, the case of the processes of Lemma L.5.4.3 As previ¬ 


ously discussed in Section 5.4.6, the result of ac2p(SkipuAD Urad StopR A r>) is the 


top Tr of the lattice of reactive designs (Lemma L.5.4.2). The result of applying 
ac2p(Chaosn A r)) is the bottom Chaos-R as established by Theorem T.5.4.9. The 


sequential composition of T R followed by Chaosn is also T R . Applying p2ac(T 


Rj 



























5.4. OPERATORS 


167 


yields the top of the lattice of reactive angelic designs T rad = RA o A(true h false). 
This is a trivial refinement of any process, including 57 oPrad • 

If we strengthen the assumption of Theorem |T.5.4.22 by considering the case 
where both P and Q are, in addition, A2-healthy, then an equality is obtained 


instead as established by Theorem T.5.4.23 


Theorem T.5.4.23 Provided P and Q are RAD -healthy and A2 -healthy, 


p2ac(ac2p(P) ; ac2p(Q)) = P ; Vac Q 


This is because A2-healthy processes do not have angelic nondeterminism, and so 
the result obtained in both models is exactly the same. 

When considering two ICSPI processes P and Q , we also obtain an equality as 


shown in the following Theorem T.5.4.24 


Theorem T.5.4.24 ac2p(p2ac(P) ; Vac p2ac(Q )) = P ; Q 


This result confirms the correspondence of sequential composition in both models. 
In particular, the result of sequentially composing two ICSPl processes with no angelic 
nondeterminism can be directly calculated in the new model. 

Finally, the sequential composition operator is closed under A2 for reactive an¬ 


gelic designs as shown in the following Theorem T.5.4.25 


Theorem T.5.4.25 Provided P and Q are reactive angelic designs and A2- 
healthy, A2(P ,R ac Q) = P >T)ac Q 


Therefore, given any two reactive angelic designs P and Q with no angelic non¬ 
determinism, their sequential composition does not introduce any angelic choices. 
This concludes our discussion of the sequential composition operator. 


5.4.8 Prefixing 

Having discussed the definition of sequential composition, in this section we intro¬ 
duce the definition of event prefixing, which is similar to that of ICSPl 

Definition 124 



( 

/ ( y.tr = s.tr A a £ y.ref ) \ \ 

a — >rad -SVv'/'prad — RA o A 

true h 0 v ac , 

<y.wait> 


V 

y (y.tr = s.tr"' (a)) // 
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The precondition is true , while the postcondition is split into two cases. When the 
process is waiting for an interaction from the environment, that is, y.wait is true, 
then a is not in the set of refusals and the trace s.tr is kept unchanged. While in 
the second case, the process has interacted with the environment, and so the only 
guarantee is that the event a is part of the final trace y.tr. 


Like for StopnAD and Skip^AU, an angelic choice between a process P and 


a — )-rad SkipnAD avoids divergence as established by Theorem T.5.4.26 


Theorem T.5.4.26 


Provided P is a reactive angelic design, 


a ^rad SkipnAD Urad P 


( 


RA o A 


true b (ej y , 

v — /ac' 


\ 


( ( y.tr = s.tr A a y. ref ) \ 
<y.wait> 

\ ( y.tr = s.tr ^ (a)) ) 


\ 


A 


pf 


P f) 




The complete behaviour of this process depends on that of P as well. If P diverges, 
then the process behaves as a —s-rad &j)rad> otherwise there is an angelic choice 
between the behaviour of a — >rad SkipnAU and P. 

Event prefixing in both theories is in exact correspondence as established by the 


following Theorems T.5.4.27 and T.5.4. 


Theorem T.5.4.27 ac2p{a ->rad ST^Prad) = ® Ar Skip-R 


Theorem T.5.4.28 p2ac(a ->r Skipn) = a — >rad SkipnAU 


This is expected since event prefixing, even in the presence of angelic nondetermin¬ 
ism, does not behave differently to prefixing in the original theory of ICSP1 

In order to illustrate the behaviour of angelic choice we consider the following 


examples. In Example [33] we have a choice between terminating and deadlocking 
following event a, sequentially composed with Chao shad ■ In general, the process 
a -4rad P denotes the compound process a —>rad Skip-RAD wac Pi w I lose result 


as a reactive angelic design is established by Theorem T.5.4.29 


Theorem T.5.4.29 Provided P is RAD -healthy, 


a —>RAD P 
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( -i 3y • y.tr = s.tr ^ (a) A -> y.wait A (RA2 o RA1 {Pj))[y/s\ ^ 


h 


RA o A 



\ \ (y.tr = s.tr ^ (a) A (RA2 o RAl(P|))[j//s]) / / 


The precondition states that it is not the case that once event a occurs the precon¬ 
dition of P fails to be satisfied. While the postcondition considers two cases: when 
the process is waiting for the environment the trace of events is kept unchanged and 
event a is not refused; when he process does event a, then the result is that of the 
postcondition of P with initial state y, where the trace y.tr includes event a. 

Example 33 

((a ^RAD StopuAIi) UrAD SkipRATt) ; Vac C'/mO.SraD 

fl ~>RAD b'topRAD 


Proof. Lemma L.G.8.13 


□ 


In the case of Example [33j the angel avoids divergence by choosing non termination 


by allowing the environment to perform the event a and then deadlocking. In 
Example [34] there is a choice between terminating or diverging upon performing the 
event a. 

Example 34 

(fl ^RAD SkipnAT)) UrAD (« ^rad CTiciosrad) 


{Definition of prefixing and Theorem T.G.8.8} 
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( 

( 

( ©q ,(y-wait A y.tr = s.tr A a ^ y.ref) \ 

\ 

\ 

RA o A 

true h 

V 




V 

\ ©1© y-wait A y.tr = s.tr ~ (a)) ) 

) 



U 


RA o A 


( -, ©L (s.tr ^ (a) < y.tr) 


\ 


h 


V ©L ,(y-wait A y.tr — s.tr A a ^ y.ref) ) 




( 


= RA o A 


{Theorem T.5.4.1 and predicate calculus} 

/ / (§) v ,(y-wait A y.tr = s.tr A a ^ y.ref) \ \ \ 

V 

V ©L© y- wait A y- tr = s - tr ~ («)) / 


true h 


V 


A 


V 


\ 


/ 


/ 


( ©lA s - tr ~ (°) ^ y - tr ) 

V 

V © y aC '(y- wait A y^ r = s ^ r A a £ y- re f ) ) 

{Predicate calculus} 

/ / (&f ,(y.wait A y.tr = s.tr A a ^ y-ref) \ \ 

V 

\ ©1© y- wait A © r = s.tr ^ (a)) / 

{Definition of prefixing} 

= a hf AD Sk'ijtii AD 


= RA o A 


true h 


V 


7 


The result is a process that following event a can only terminate, and thus avoids 
divergence. This property illustrates that our angelic choice operator is a counterpart 
to that of the refinement calculus. It resolves choices to avoid divergence but here 
we have choices over interactions. 

However, if we consider the processes of Example [34] to be prefixes on different 
events, the result of the angelic choice is rather different as shown in Example |35[ 

Example 35 

(a — >rad SkipnAo ) Urad (b — ^rad CTiaosRAD ) 

(a ^rad SkipnAD ) Urad (b — >-rad Choice rad) 


Proof. Lemma L.G.8.9 


□ 
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In this case, the possibility of diverging after the event a is avoided by turning 
ChaosjiAD into Choice^An • The possibility for engaging in the event a cannot be 
avoided by the angel, since RAl requires that under all circumstances no trace 
of events may be undone. Ideally for a counterpart to the angelic choice of the 
refinement calculus, it should be possible to discard any trace of events that lead 
to divergence. This is the motivation for the theory of angelic processes that we 
introduce in the following Chapter [6j 


5.4.9 External Choice 


External choice, which offers the environment the choice over the events initially 


offered by processes P and Q, is similarly (Section 2.5.4) defined in our theory as 
follows. 


Definition 125 


P □ 


RAD 


Q 


RA o A 


/ (-. P f f A 
h 



V (DL(( p / A Q}) < y- tr 


\ 

s.tr A y.wait > (Pj V Qj)) J 


The precondition is the conjunction of the preconditions of the processes P and Q, 
while the postcondition is split into two cases. When the process is waiting and the 
trace of events s.tr is unchanged, then the behaviour is given by the conjunction 
of both postconditions, otherwise it is given by their disjunction. In other words, 
before the process performs any event, P and Q must be in agreement. In particular, 
if there is angelic nondeterminism in either P or Q, there must be an agreement on 
a single common state in ac'. 

Once the process has finished interacting with the environment or performed an 
event, there is a choice between P and Q. Even if there is angelic nondeterminism 
in either P or Q, then there is also a requirement for there to be an agreement on a 
final state, as enforced by the lifting (e)^ We consider, for example, the following 
result on the external choice between a reactive angelic design and Stop-RAD- 


Theorem T.5.4.30 


Provided P is a reactive angelic design, 


p Drad StopnAD = RA O A(-< P f f b 3 y • (Pj)[{y}/ac'} Aye ac') 






172 


CHAPTER 5. REACTIVE ANGELIC DESIGNS 


That is, the angelic nondeterminism of P is collapsed. Unlike in the original theory 
of ICSPl Stop-R AD is not necessarily a unit for external choice. However, when 
considering the subset of reactive angelic designs corresponding to ICSPl processes, 
which are the A2-hcalthy, then StopRAD is a unit as expected. 


Theorem T.5.4.31 


Provided P is a reactive angelic design and A2 -healthy, 


P d rad StopRAD — P 


Theorem T.5.4.31 follows from the correspondence of the operator in both models, 
which we discuss below, and the proviso which ensures that there is no angelic 
nondeterminism in P. 


As established by the following Theorem T.5.4.32 the result of mapping two ICSPl 
processes P and Q through p2ac and composing them with the external choice 
operator Drad of reactive angelic designs, followed by the mapping ac2p in the 
opposite direction is exactly the same as applying Dr to the original processes. 


Theorem |T.5.4.32] Provided that P and Q are \CSP\ processes, 


ac2p(p2ac(P) Drad p2ac(Q )) = P Or Q 


However, if we consider the application in the opposite direction in the following The¬ 
orem 


T.5.4.33 the result obtained is not an equality. 


Theorem T.5.4.33 Provided P and Q are reactive angelic designs, 


p2ac(ac2p(P) m R ac2p(Q )) □ P Drad Q 


This establishes that by considering two reactive angelic designs, applying ac2p to 
both, composing the result with the external choice operator of ICSPl and then 
mapping back through p2ac, the result obtained is stronger than the respective 
composition using Drad- This follows from the fact that, since P and O can be 
nondeterministic, and external choice is monotonic with respect to refinement, the 
application of ac2p may yield stronger processes. 


We consider the following Example [36] in the context of Theorem T.5.4.33 Here 
we have an angelic choice between engaging in an event a or an event b followed by 
divergence, with StopRAD in an external choice. 
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Example 36 


(a ^rad C7/ao.SRAD Urad b -Arad CTicjosrad) Drad ^Prad 


l ^ ((DL( s - <r ~ (°> ^ y - tr ) A © v a A s - tr ~ A) < y - tr )) \ 


RA o A 


h 


V (Da ,(y.wait A y.tr = s.tr A a ^ y.re/ A & ^ y-ref) ) 


Proof. Lemma L.G.8.7 


□ 


The precondition requires that there is not a final state where the trace includes the 
event a or the event b. The postcondition states that the process is always waiting 
for the environment, while keeping the trace of events unchanged and not refusing 
either a or b. The mapping through ac2p of the left-hand side of Example |36| yields 
a ICSPI process whose precondition is true as shown in the following Example [37j 

Example 37 

ac2p(a ->rad Chaos-RAD Urad b Arad C7iaosRAD) 

R (true h tr' = tr A wait' A a £ ref A b ^ ref ) 


Proof. Lemma L.G.8.1 


□ 


The postcondition, expressed in the theory of reactive designs, is similar to that 


of Example 36 The mapping of Example [37] through p2ac yields a refinement of 
the reactive angelic design of Example |36] This is an expected result, which follows 
from the general result of Theorem |T.5.4.33| 

If we consider reactive angelic designs that are in addition A2-healthy, an equal¬ 
ity is obtained as established by Theorem |T. 5.4.34 


Theorem T.5.4.34 Provided P and Q are RAD -healthy and A2 -healthy, 


p2ac(ac2p(P) n R ac2p(Q )) = P Qrad Q 


Furthermore, the external choice operator is also closed under A2 as established 


by Theorem T.5.4.35 


Theorem T.5.4.35 Provided P and Q are reactive angelic designs and A2- 
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healthy, 

A2 (P Drad Q) — P d rad Q 

In other words, the definition of external choice is in correspondence between both 
models for processes with no angelic nondeterminism. 


5.5 Non-divergent Reactive Angelic Designs 

As previously discussed in Chapter [lj and as part of our approach to studying the 
relationship between theories, it is useful to identify the subset of non-divergent 
reactive angelic designs. These are processes that satisfy the following healthiness 
condition NDrad 


Definition 126 NDrad(-P) = P U rad Choice rad 


This function is defined using the least upper bound of the lattice U RA d and the 
most nondetcrministic process ChoiceuAD that does not diverge. The intuition 
underlying NDrad is that, for a given process P , increasing the number of final 
states available for angelic choice, does not actually add any new choices, unless 


the process P could itself diverge. We consider the following Example 38 where the 
function NDrad is applied to the bottom of the lattice Chaos^AH ■ 


Example 38 NDrad (CTioosrad) = Choice rad 


Proof. Lemma L.G.6.1 


□ 


The divergence is avoided and the result is the process Choice rad- If instead we 
consider a process that is not divergent, such as 5'/c?prad , the result is as follows. 


Example 39 NDrad(« vrad Skip^Ai)) — a ~>rad SkipnAu 


Proof. Lemma L.G.6.2 


□ 


The process is a fixed point of NDrad- 


The function NDrad is idempotent as shown in the following Theorem T.5.5.1 


Theorem T.5.5.1 NDrad ° NDrad(L) — NDrad(L) 

Proof. 


NDrap o NDrap(-P) 


{Definition of NDrap} 
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— NDrap(-P) U ChoicejiAp 
= P U Choice-RAP U Choice^AP 
= P U ChoiceuAP 

= ND RA p(P) 


{Definition of NDrap} 
{Predicate calculus} 
{Definition of NDrap} 


□ 


More importantly, when considering a reactive angelic design P, Theorem |T. 5.5.2 
establishes that the application of NDrad to a reactive angelic design P requires 
the precondition of the design to be true. 


Theorem T.5.5.2 Provided P is RAID-healthy, 


ND R ad(P) = RA o A (true h Pj) 


Furthermore, if we consider the fixed points of NDrad then we obtain the following 
result in Theorem IT.5.5.31 


Theorem T.5.5.3 


Provided P is RAID-healthy, 


NDrad (P) = P •tv- V s, ac' • -i Pj 

That is, it must be the case that the precondition -> Pj of the reactive angelic 
design P is satisfied for every possible initial state s and set of final states ac'. 
These complementary results confirm our intuition about the definition of NDrad- 


5.6 Final Considerations 

Based on the underlying principles of the theory of ICSPI [29;, and the model of 
angelic designs presented in Chapter [4j in this chapter we have presented a model 
for ICSPI where both angelic and demonic nondeterminism can be expressed. The 
approach we have followed consists of a natural extension to the existing ICSPI model. 
First we have encoded the observational variables of the theory of reactive processes 
and enforced all of the healthiness conditions of the original model in this new theory. 
Similarly to the original theory of ICSPI we have shown how ICSPI processes can be 
specified through reactive angelic designs. We have then established links with the 
original theory and studied this relationship. 

We have established that there is a Galois connection between the theory of react¬ 
ive angelic designs and ICSPI In addition, when considering the subset of processes 
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that are A2-healthy, this relationship can be strengthened into a bijection. We have 
studied the most important operators of the theory and shown that they are in 
correspondence with their ICSPl counterparts. Furthermore, we have also proposed a 
natural way for specifying existing ICSPl operators in this new theory, including, for 
example, the external choice operator. While the definition of the external choice 
operator preserves the semantics of ICSPl it is not the only one possible. Indeed, 
we hypothesize that there are other plausible semantic-preserving definitions for 
external choice with different algebraic properties. For example, when considering 
an external choice which includes angelic choices it may be desirable to allow the 
environment to choose any of those choices. 

Finally, a number of examples have been presented to illustrate the role of angelic 
choice in a theory of ICSPl In particular, we have shown that whenever possible, 
angelic choice avoids divergence. This behaviour is closer in spirit to that of the 
original choice operator of the refinement calculus than that of any other notion of 
angelic choice for ICSPl which we are aware. However, this avoidance still preserves 
any potential sequence of observable events. Ideally, the counterpart to the angelic 
choice of the refinement calculus should avoid any divergent behaviour altogether. 
For example, in the case of Example |35]the angelic choice should be resolved in favour 
of a — S-rad Skipn ad- This is the motivation for the theory of angelic processes which 
we discuss in the next Chapter [6j 












Chapter 6 

Angelic Processes 


Following from the impossibility for the angel to completely avoid divergent processes 
in the theory of reactive angelic designs, and based on its underlying principles, in 
this chapter we present a different approach to characterising ICSPI processes with 
angelic nondeterminism. The result is a theory which better accommodates the 
angelic choice over divergent processes, in that the resulting algebraic properties 


are closer in spirit to the angelic choice of the refinement calculus. In Section 6.1 


we revisit the motivation for this theory and discuss our approach. Section 6.2 


introduces the healthiness conditions of the theory and discusses their relationship 


with the theory of reactive angelic designs. In Section 6.3 we study the relationship 
between the two models and establish that the subsets of non-divergent processes 


are isomorphic. In Section [674] we present operators of this model and discuss some 
of their properties as well as their relationship with counterparts in the theory of 
reactive angelic designs. Finally, the chapter ends with a summary of the results 
in Section [6751 


6.1 Introduction 

As previously discussed in Chapter [5j in the theory of reactive angelic designs, 
healthy processes, as required by RA1, must never undo the history of events. For 
example, the definition of Chaos-^ATt-, which diverges immediately, guarantees that 
there is always a final state in ac! where the trace of events is a suffix of the initial 
trace s.tr. This behaviour is as expected for a theory of processes. 

Since angelic choice is defined as the least upper bound, and ChaosnAD is the 
bottom of the lattice of reactive angelic designs, it follows that immediate divergence 
is avoided, if possible, by the angel. However, once there is the possibility for 
interacting with the environment, such as in the case of Example |33| the possibility 
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for performing an event followed by divergence cannot be eliminated completely, 
as doing so would violate RAl. This is unlike the angelic choice of the refinement 
calculus and the theory of angelic designs, where angelic choices leading to divergence 
are pruned altogether. 

In this chapter we propose a theory like RAD, but which does not necessarily 
enforce RAl when a process diverges. This is a departure from the norm for a 
theory of ICSP1 The main consequence of this approach is that divergent processes 
have a different semantics to standard ICSP1 However, the subset of non-divergent 
processes preserves the existing semantics defined by RAD, and by extension, the 
semantics of non-divergent ICSPl processes. 


6.2 Healthiness Conditions 


The alphabet of angelic processes is exactly the same as that of reactive angelic 
designs. Namely, we have variables ok, ok', s and ac', where a State is defined with 
components tr, ref and wait. 

As with every IUTPI theory, we define the healthiness conditions. Since we aim 
to define a theory like RAD, but without necessarily enforcing RAl, we focus our 
attention on the definition of RAD, which we reproduce below. 


RAD(P) = RAl o RA2 o RA3 o CSPA1 o CSPA2 o PBMH(P) 


If we simply remove RAl from the functional composition, then AO is not neces¬ 
sarily enforced any more, and thus successful termination does not guarantee that 
ac' is not empty. Furthermore, CSPA1 is also stronger than required, since when in 
an unstable state, that is -> ok, RAl should not be enforced. Equally, the identity 
Irad and, therefore, RA3 also need to be changed, so that divergence no longer 
requires RAl. This leads us to the following healthiness condition AP. 

Definition 127 AP(P) = RA3ap ° RA2 o A o HI o CSPA2(P) 


The healthiness condition RA3 is replaced with RA3ap, which does not require 
RAl. The function A is included in the functional composition since it enforces 


both AO and A1 (itself PBMH as previously discussed in Section |4.2.2[ ) as required. 
The function CSPA1 is replaced with HI, since in an unstable state, that is when 
-i ok is true, RAl is no longer enforced. Finally CSPA2 is enforced like in RAD. 


The definition of RA3ap is introduced in the following Section 6.2.1 In Sec¬ 


tion 6.2.2 the definition of AP is explored in more detail. Finally in Section 6.2.3 
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the subset of non-divergent angelic processes is characterised by another healthiness 
condition NDap 


6.2.1 Redefining RA3 as RA3ap 

Similarly to the theory of reactive angelic designs, we define a new identity Hap as 
follows. 


Definition 128 Hap = HI (ok' A s G ac') 

In contrast with the definition for Hrad, there is no longer a requirement for RA1 
to be enforced when the process is unstable and ok is false. Instead, the only 
guarantee in this case is that if the process is stable, and ok is true, then stability 
is maintained and the state is kept unchanged, by requiring the initial state s to be 
in the set of final states ac'. 

The definition of RA3ap is similar to RA3 except that we use the identity 
E A p, which does not enforce RA1, instead of H RA d- 


Definition 129 RA3ap(-P) = Hap <3 s.wait > P 


The function RA3ap is idempotent and monotonic as established by the follow¬ 
ing Theorems T.6.2.1 and T.6.2.2| Proof of these and other theorems to follow, 
which are not included explicitly in the body of this thesis, can be found in Ap¬ 
pendix [Hj 


Theorem T.6.2.1 RA3ap ° RA3ap(P) = RA3ap(-P) 


Theorem T.6.2.2 P □ Q =► RA3 ap (P) E RA3 ap (<5) 


Furthermore, it distributes through both conjunction and disjunction. 


Theorem T.6.2.3 RA3ap(P A Q) — RA3ap(P) A RA3ap(Q) 


Theorem T.6.2.4 RA3ap(P V Q) — RA3ap(P) V RA3ap(Q) 


Since RA3ap is idempotent and distributes through both conjunction and disjunc¬ 
tion, conjunction and disjunction are closed under RA3ap- More importantly, the 
operator ] A is closed under RA3 A p. 


Theorem T.6.2.5 


Provided P and Q are HA3 ap- healthy, 


RA3ap(P /a Q) — P ,'a Q 
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Finally, RA3ap commutes with PBMH. and RA2 as established by the follow¬ 


ing Theorems T.6.2.6 and T.6.2.7 


Theorem T.6.2.6 RA3ap ° PBMH(P) = PBMH o RA3 ap(-P) 


Proof. 


RA3 A p o PBMH(P) 

= Hl(oP A s E ac' ) <3 s.wait > PBMH(P) 

= HI (ok' A PBMH(s E ac' )) <3 s.wait \> PBMH(P) 
= HI o PBMH(oA/ A s G ac') <3 s.wait > PBMH(P) 
= PBMH o Hl(ofc' A s G ac' ) <3 s.wait > PBMH(P) 
= PBMH(Hl(ofc' A s G ac') <3 s.wait > P) 

= PBMH o RA3 A p(P) 


{Definition of RA3ap} 
(Lemma IL.E.4.31} 
(Lemma IL.E.4.81} 
(Theorem IT. E.6. 21} 
(Lemma IL.E.4.91} 
(Definition of RA3ap} 


□ 


Theorem T.6.2.7 RA2 o RA3 A p(P) = RA3 A p o RA2(P) 


Theorem T.6.2.6 is important in establishing that RA3ap preserves the upward- 


closure of PBMH. This is established by Lemma L.6.2.1 


Lemma L.6.2.1 PBMH o RA3 ap ° PBMH(P) = RA3ap ° PBMH(P) 


This concludes our discussion of the most important properties of RA3ap- 


6.2.2 Angelic Processes (AP) 


As already mentioned, the theory of angelic processes is characterised by the func¬ 
tional composition of RA3ap, RA2, A. HI and CSPA2. A parallel result to that 


of the theory of reactive angelic designs (Theorem T.5.2.20) can be obtained as es¬ 
tablished by the following Theorem T.6.2.8| AP processes can also be expressed in 
terms of a design. 


Theorem 


T.6.2.8 


AP(P) = RA3 A p o RA2 o A( 


P f h Pf ) 


Proof. 


AP (P) 

= RA3 ap o RA2 o A o HI o CSPA2(P) 


(Definition of AP} 
(Definition of CSPA2} 
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= RA3 ap ° RA2 o A o HI o H2(P) 
= RA3 ap o RA2 oA(nP^h P 4 ) 

= RA2 o RA3 ap oA(nP^h P 4 ) 

= RA2 o RA3 ap oAfnP^h P 4 )/ 

= RA2 o RA3 ap oA((nP^ P 4 )/) 
= RA2 o RA3 ap o A(~ i Pj h Pj) 

= RA3 ap o RA2 o A(~ i Pj h Pj) 
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{Property of designs} 
{Theorem IT. 6.2. 71} 
{Lemma IL.5.2.11} 
{Lemma IL.C.1.51} 
{Substitution} 
{Theorem IT. 6.2. 71} 


□ 


This result establishes that an angelic process can also be specified in terms of pre 
and postconditions, as the image of a design through the functions RA3 ap , RA2 
and A. Since these functions are all idempotent and monotonic, and the theory of 
designs is a complete lattice [39], so is the theory of angelic processes. 


The original theory of ICSPl is not a theory of designs, since when ok is false , R1 
must hold, unlike in the theory of designs, where HI requires that no meaningful 
observations can be made about a design unless it is started, that is, unless ok is 
true. Here, since we have dropped RA1, in fact the theory we propose is a theory 


of angelic designs as established by the following Theorem T.6.2.9 


Theorem IT.6.2.91 


AP(P) 


( true <3 s.wait > -> RA2 o PBMH (Pj) ^ 

b 

\ s E ad < s.wait > RA2 o RA1 o PBMH(Pj) J 


Proof. 


AP(P) {Theorem IT. 6.2. 81 } 

= RA3 ap o RA2 o A(-i Pj h Pj) {Definition of A} 

= RA3 ap o RA2(^ PBMH(P/) h PBMH(Pj) A ad ± 0) {Lemma IL.G.2.151} 
= RA3 ap (- RA2 o PBMH (Pj) h RA2(PBMH (Pj) A ad d 0 )) 

{Lemma IL.G.2.91} 


= RA3 ap (-i RA2 o PBMH (Pj) h RA2 o RA1 o PBMH(Pj)) 

{Lemma IL.H.1.41} 
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( true < s.wait > -> RA2 o PBMH(Pj) ^ 

h 

^ s E ac' < s.wait > RA2 o RA1 o PBMH(Pj) ) 

□ 


The precondition of the design has a conditional on s.wait. If the previous process 
has not terminated interacting with the environment, then this is simply true. Oth¬ 
erwise, the original precondition of P must be satisfied, and its negation must be 
PBMH and RA2-healthy. We recall that in a non-H3 design it is actually the 
negation of the precondition that is established irrespective of termination. 

The postcondition of an angelic process also has a conditional on s.wait. When 
the previous process has not terminated its interactions with the environment, then 
the state is kept unchanged by making sure that the initial state s is in the set 
of final states ac'. Otherwise, the original postcondition of P holds and must be 

PBMH. RA2 and RAl-healthy. 


Although we have dropped RA1 because the postcondition requires that the set 
of final states ac 1 is not empty, and since we enforce RA2, this means that RA1 


is enforced in the postcondition (Theorem T.5.2.9). Similarly, if the negation of the 
precondition imposes any particular set of final states ac', because it must also be 
RA2-healthy, it will also enforce RAl. 


6.2.3 Non-divergent Angelic Processes (NDap) 


Like in the theory of reactive angelic designs, it is possible to identify the subset 
of non-divergent angelic processes. These are angelic processes that satisfy the 
following healthiness condition NDap- As depicted in Figures [Li and 1.6| we show 
that the subsets of non-divergent processes of the theory of angelic processes and 
reactive angelic designs are isomorphic. This is a key result that supports our 
hypothesis on the preservation of the semantics of a subset of ICSP1 


Definition 130 NDap(P) = Choice ap Uap P 


The definition of NDap is similar to that of NDrad, except that here we use 
the corresponding least upper bound Uap and Choice^ operators of the theory of 
angelic processes. An angelic process that is non-divergent can be characterised as 


established by the following Theorem T.6.2.10 
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Theorem T.6.2.10 Provided P is AP -healthy. 


ChoiceAP LI P — (true b s E ac' <] s.wait > RA2 o RA1 o PBMH(P|)) 


The precondition is true , while the postcondition corresponds to that of P. If P could 
diverge, then by applying NDap this is no longer the case. Since in H3-healthy 
designs the precondition cannot have any free dashed variables, every non-divergent 
angelic process is also H3-healthy. However, not every H3-healthy angelic process 
is necessarily non-divergent. For example, the angelic process ( s.wait b s E ac') is 
H3-healthy, however, it diverges when s.wait is false. 


6.3 Relationship with Reactive Angelic Designs 


As part of our approach for validating the theories we propose, in this section we 
study the relationship between the theory of angelic processes and reactive angelic 


designs. Through the links previously discussed in Section |5.3| between the theory 
of reactive angelic designs and ICSPI these results also link this new theory to that 
of lCSPl 


In Section |6.3.1| we discuss how reactive angelic designs can be mapped into the 
theory of angelic processes. In Section 6.3.2|we present the reverse mapping between 


angelic processes and reactive angelic designs. Finally in Section 6.3.3 we show that 
the subsets of non-divergent processes of both theories are isomorphic. 


6.3.1 From Reactive Angelic Designs to Angelic Processes 

As already mentioned, in defining AP we have dropped RA1 and thus the theory 
of angelic processes is a theory of designs that satisfies both HI and H2. Therefore, 
a reactive angelic design, can be turned into an angelic process by applying HI. 
Since CSPA2 is equally enforced in both models. H2 is also satisfied. 

The following result characterises the designs obtained when we apply HI to a 
reactive angelic design RAD. 


Theorem IT.6.3.11 


HI o RAD(P) 


( true < s.wait > -> RA1 o RA2 o PBMH(Pj) 
b 

\ s E ac' < s.wait > RA1 o RA2 o PBMH(Pj) ) 


In words, and considering the general result for angelic processes established by 
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Theorem |T.6.2.9[ the postcondition is exactly the same as that of any other angelic 
process, while the precondition requires, in addition, that Pj is RAl-healthy. This 
is a property carried over from the theory of reactive angelic designs, where the 


negation of the precondition must also be RAl-healthy (Lemma L.G.1.23). 


We consider the following Example 40 where HI is applied to CTjcjosrad- 


Example 40 Hl(CTiaosRAD) = ( s.wait V -> RA1 (true) b s.wait A s 6 ac') 


Proof. Theorem T.6.4.10 


□ 


In this case, if the previous process is still waiting for the environment, and s.wait 
is true, then the state is kept unchanged by requiring s to be in the set of final 
states ad. Otherwise, once the process starts, and s.wait is false, the design can be 
restated as ok =>- RA1 (true). 


Non-divergent Processes 


The application of HI to a reactive angelic design that is non-divergent, that is 
N D r ad - he al t hy, is established by Lemma L.6.3.1| 


Lemma IL.6.3.11 


HI o RA o A (true b Pi 


(true b s 6 ac' < s.wait > RA2 o RAl o PBMH(P|)) 


The precondition is true, similarly to the original reactive angelic design, while the 
postcondition is that corresponding to the mapping through HI, which follows the 
general result of Theorem |T.6.3.1 We consider, for example, the mapping of the 
process Skip-RAD through HI. 


Example 41 


Hl(57bpRAD) 


(true b s E ad < s.wait t> (e ) v n y-wait A y.tr = s.tr)) 


Proof. Theorem T.6.4.16 and Lemma L.H.1.9 


a: 


The original postcondition of Skip^AD is kept intact on the right-handside of the 
















6.3. RELATIONSHIP WITH REACTIVE ANGELIC DESIGNS 


185 


conditional on s.wait. 

6.3.2 From Angelic Processes to Reactive Angelic Designs 

When considering the mapping in the opposite direction, from angelic processes to 
reactive angelic designs, we must ensure that RA1 is observed under all circum¬ 
stances. Therefore, the mapping we need is RAl itself. The result of applying 


RA1 to an angelic process is established by Theorem |T.6.3.2 


Theorem 


Proof. 


T.6.3.2 


RAl o AP(P) = RA o A(-i P f f b Pj) 



true < s.wait t> -> RA2 o PBMH(P|) 


\ 


G ad <3 s.wait > RA2 o RAl o PBMH(F|) / 


/ RA2 o PBMH(P{ 


= RAlo RA3 


\ 


b 


\ RA2 o RAl o PBMH(Pj) / 
( “I PBMH(Py) \ 


= RAlo RA3o RA2 


b 


\ RAl o PBMH(Pr) / 


(Theorem IT. 6.2. 91} 
(Lemma IL.G.4.11} 

(Lemma IL.G.2.151 } 


(Theorems IT. 5. 2.101 and IT. 5.2. 161 } 


/ “I PBMH(Pr) \ 


= RA3o RA2o RAl 


b 


( Lemma IL.G. 1.2(11 } 


\ RAl o PBMH(Pr) / 


= RA3 o RA2 o RAl(-i PBMH(P/) b PBMH(Pj)) 

= RA3 o RA2 o RAl o PBMH(-i P J f b Pj) 


= RA o PBMH(n P 1 , b P^ 


f ' 1 f) 


(Lemma IL.4.2.21} 
(Dehnition of RA} 
(Theorem IT. G. 1.61} 


= RA o A(-< P f f b Pj) 


□ 


The reactive angelic design ensures that RAl applies to the whole angelic design, 


which by extension also includes the negation of the precondition (Lemma L.G.1.23). 
We consider the following Example |42l where we apply RAl to the design of Ex¬ 


ample 40 
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Example 42 R,Al(s.wait V -> RAl (true) b s.wait A s G ac') = G/mo.SRAD 


Proof. Theorems T.6.4.10 and T.6.4.11 


□ 


This result shows that it is possible to recover the original Chao shad of reactive 


angelic designs. In fact, as we discuss in the next Section [6.3.3| this is the case for 
every reactive angelic design. 


6.3.3 Galois Connection and Isomorphism 

The results of the previous section suggest that every reactive angelic design can be 
expressed as an angelic process. If we consider the application of HI to a reactive 
angelic design followed by the application of RAl, then we obtain the same reactive 


angelic design as established by the following Theorem T.6.3.3 


Theorem T.6.3.3 RAl o HI o RAD(P) = RAD(P) 


Proof. 


RAl o HI o RAD(P) {Lemma IL. H .2. 41 } 

= RAl o AP(-< RAl o PBMH(Pj) b Pj) 

{Theorem IT. 6.3. 21 and Lemmas IL.A.2.51 and IL.A.2.61} 


{Theorem IT. G. 1.61} 
{Lemma IL.1.2.21} 
{Theorem IT. 5.2. 51} 
{Definition of RA} 


= RA o A(-i RAl o PBMH(Pj) b Pf) 

= RA o PBMH(-> RAl o PBMH (Pj) b Pj) 

= RA(^ PBMH o RAl o PBMH (Pj) b PBMH (Pj) 

= RA(^ RAl o PBMH (P f f ) b PBMH(P()) 

= RA3 o RA2 o RAl(-i RAl o PBMH(P/) b PBMH(Pj)) {Lemma OTL23I } 

{Definition of RA} 
{Lemma IL.4.2.21} 
{Theorem IT. G. 1.61} 
{Theorem IT. 5.2.201 } 


= RA3o RA2o RAl 
= RA(-> PBMH (Pf) b PBMH(Pj)) 

1^-h 


PBMH(Py) b PBMH(Pj)) 


= RA o PBMH(-< P f f b Pj) 


= RA o A(- 
= RAD(P) 


^ h p}) 


a 

This is a fundamental result, which together with the links between the theory of 
reactive angelic designs and ICSPl establishes that every ICSPI process can also be 
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modelled in this theory, following results on the composition of Galois connections 
(Theorem 4.2.5 in [35]). 

When we consider the mapping in the opposite direction, however, an inequality 


is obtained, as established by Theorem T.6.3.4 


Theorem T.6.3.4 HI o RA1 o AP(P) □ AP(P) 


Proof. 


HI o RA1 o AP(P) {Theorem IT .6.3. 21 } 

= HI o RA o A(-< Pj h Pj) {Theorem IT.5.2.201 and Le mm a IL.H.2.41} 

= AP(-i RA1 o PBMH(P/) b Pj) 


□ AP(^ PBMH(P/) 
= RA3ap ° RA2 o A 


LPj) 


{Lemma L.G.1.21 and strengthen precondition} 

{Lemma IL.H.l.llI } 


PBMH (Pf) 


hPj) 


{Definition of A and Lemma IL.4.2.21 and Theorem IT. E . 2 . 11 } 
= RA3ap ° RA2 o A(-< Pj b Pj ) {Lemma IL.H.l.llI } 

= AP(P) 


□ 

This is expected, since reactive angelic designs require RA1 to be enforced under 
all circumstances, whereas angelic processes do not necessarily enforce RAl. Thus 
there is a Galois connection between the theory of reactive angelic designs and 
angelic processes. We consider the following example, where RAl and HI are 
applied to the bottom of the lattice T A p = ( s.wait hs6 ac') of angelic processes. 

Example 43 

HI o RAl (s. wait b s G ac') 


( s.wait V -i RAl (true) b s.wait A s G ac') 


Proof. Theorems T.6.4.11 and T.6.4.10 


□ 


The result is exactly the same as the result of applying HI to ChaosuAD • This 
angelic process has a weaker precondition than that of the bottom Tap and is 
therefore a refinement of Tap- 
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If we restrict our attention to the subset of angelic processes that are non- 


divergent, then Theorem T.6.3.4 can be strengthened into an equality as the es¬ 


tablished by the following Theorem T.6.3.5 


Theorem T.6.3.5 HI o RA1 o NDap ° AP(P) = NDap ° AP(P) 


Therefore, the subsets of non-divergent processes of the theories of angelic processes 
and of reactive angelic designs are isomorphic. In addition, if we consider the links 
between [CSP] and the theory of reactive angelic designs, and in particular, the subset 
characterised by A2 and NDrad, then we can also ascertain that there is a subset 
corresponding exactly to non-divergent ICSPl processes in our model. 


6.4 Operators 


In this section we present the definition of some important operators of the theory of 


angelic processes. Similarly to the approach in Section 5 A we study the relationship 
between these operators and their counterparts as reactive angelic designs. 


6.4.1 Angelic Choice 

The angelic choice operator of this theory is also defined through the least upper 
bound of the lattice of angelic processes, which is conjunction. 

Definition 131 P U A p Q = P A Q 


This operator is closed under AP as established by Theorem T.6.4.1 


Theorem T.6.4.1 Provided P and Q are AP -healthy, 


AP(P Uap Q) — P Uap Q 


It is also closed under the subset of non-divergent angelic processes, characterised 
by NDap, as established by Theorem |T. 6.4. 2| 


Theorem T.6.4.2 Provided P and Q are NDap -healthy, 


ND ap (F Uap Q) = p u A p Q 


The angelic choice of two reactive angelic designs can be equally obtained through 
the least upper bound of the lattice of angelic processes as established by the fol- 
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lowing Theorem T.6.4.3 


Theorem T.6.4.3 Provided P and Q are RAD -healthy, 


RA1(H1(P) U AP = P U RAD Q 


Proof. 


RA1(H1(P) UH1(Q)) 

{Definition of U} 

= RA1(H1 (P) A H1(Q)) 

{Theorem lT.5.2.21} 

= RA1 o H1(P) A RA1 o H1(Q) 

{Assumption: P and Q are RAD-healthy} 

= RA1 o HI o RAD(P) A RAl o 

HI o RADIAL {Theorem IT. 6.3. 31} 

= RAD(P) A RAD(Q) 

{Assumption: P and Q are RAD-healthy} 

= PAQ 

{Definition of U} 

= PUQ 



□ 


In words, if we consider two reactive angelic designs P and Q, and after mapping 
them through the function HI we take the least upper bound l_l A p, followed by 
RA1, then we obtain the same result as the least upper bound U RAD of P and Q. 


Together with the result of Theorem |T.6.4.2| this establishes that the angelic choice 
operator for the subset of non-divergent processes is in correspondence with that of 
the theory of reactive angelic designs. 

However, when we consider the result in the opposite direction, that is, by con¬ 
sidering two angelic processes P and Q mapped through RA1, followed by the 
application of HI, then the result is not an equality. 


Theorem T.6.4.4 Provided P and Q are AP -healthy, 


H1(RA1(P) U RA d RA1(<2)) □ P I—I A p Q 


This is expected since the theory of angelic processes is less strict with regards to 
enforcing RA1. 


6.4.2 Demonic Choice 

Like in the theory of reactive angelic designs, demonic choice is also defined using 
the greatest lower bound, which is disjunction. 
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Definition 132 P fl A p Q = P V Q 


This operator is closed under AP as established by Theorem T.6.4.5, and is also 


closed under the subset of non-divergent processes as established by Theorem T.6.4.6 


Theorem T.6.4.5 Provided P and Q are AP -healthy, AP(P fl Q) — P fl Q. 


Theorem T.6.4.6 Provided P and Q are NT)\p-healthy, 


ND ap (P 

n A p Q) = P n AP Q 


The demonic choice of two reactive angelic designs P and Q can be equally ob¬ 
tained through the greatest lower bound of the lattice of angelic processes as the 


following Theorem T.6.4.7 establishes. 


Theorem T.6.4.7 Provided P and Q RAT)-healthy, 


RA1(H1(P) n A p H1(Q)) = P n RAD Q 


Proof. 


RA1(H1(P) n AP Hl(<5)) 

= RA1(H1(P) V H1(Q)) 

= RA1 o H1(_P) V RA1 o H1(Q) {Assumption: 

= RA1 o HI o RAD(P) V RA1 o HI o RAD(<5) 

= RAD(P) V RAD(<5) {Assumption: 

= P V Q 


{Definition of n A p} 
{Theorem IT. 5.2.31} 
P and Q are RAD-healthy} 
{Theorem IT. 6.3. 31} 
P and Q are RAD-healthy} 
{Definition of n RAD } 


— P n RA D Q 


□ 


If we map P and Q through HI, take the greatest lower bound n AP , and then apply 
RA1, then the same result can be obtained by taking the greatest lower bound of 
reactive angelic designs n RAD . With this result, together with the closure of fl AP 


under ND AP (Theorem T.6.4.6) it is possible to ascertain that the demonic choice 
for non-divergent processes is in correspondence in both models. 

In general, the greatest lower bound of the theory of angelic processes cannot 
be replicated in the theory of reactive angelic designs, as established by the follow¬ 


ing Theorem T.6.4.E 
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Theorem T.6.4.8 


Provided P and Q are AP -healthy, 


H1(RA1(P) IIrad R-Al(g)) □ P IHap Q 


This inequality is expected, since the model of angelic processes does not necessarily 
enforce RA1 under all circumstances, while in the theory of reactive angelic designs 
this is always the case. 


6.4.3 Divergence: Chaos and Chaos of CSP 

In our theory of angelic processes, the bottom of the lattice is defined by Chaos ap, 
whose definition can be given in terms of the bottom of designs as follows. 


Definition 133 Chaos ap = AP (false b true ) 


This result can be expanded into a design as established by Lemma L.6.4.1 


Lemma L.6.4.1 ChaosAP = ( s.wait b s E ac') 


The precondition requires the component wait of the initial state s to be true, while 
the postcondition keeps the state unchanged by requiring s to be in the set of final 
states ac' . In other words, as long as the environment is waiting for an interaction, 
the state is kept unchanged. However, once the environment is no longer waiting, 
then ChaosAP diverges and the behaviour is described by true. ChaosAP is a unit 


for angelic choice as established by Theorem T.6.4.9 


Theorem T.6.4.9 Provided P is AP -healthy, P Uap ChaosAP = P 


In other words, if possible, the angel can avoid divergence. 

In this theory, the process that corresponds to Chaos^AO is ChaosCSPAP, which 
is defined through a design as follows. 


Definition 134 ChaosCSPAP = AP(i RA1 (true) b true ) 


Instead of false , the precondition requires -i RAl(frue). As already discussed, it 
is the negation of the precondition of a design that gives the behaviour in case 
of possible non-termination. This design can be expanded as established by the 


following Lemma L.6.4.2 


Lemma L.6.4.2 ChaosCSPAP = ( s.wait V -i RA1 (true) b s.wait A s G ac') 


In words, when the environment is waiting for an interaction, the state is kept 
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unchanged. Otherwise, the design diverges, but still requires that RA1 holds, unlike 
Chaos AP . This corresponds exactly to the mapping of Chaos RA n through the linking 


function HI as established by Theorem T.6.4.10 


Theorem T.6.4.10 Hl(CTiaosRAD) = ChaosCSP A p 


Similarly, if we map ChaosCSP A p through RAl we obtain the bottom of the lattice 
of reactive angelic designs ChaosiiAD. 


Theorem T.6.4.11 RAl(ChaosCSP A p) = Chaos^ A D 


This follows from the general result of Theorem T.6.3.3 


6.4.4 Choice 

The most nondeterministic process that does not diverge is defined as Choice ap and 
can be defined through a design as follows. 

Definition 135 Choice ap = AP (true h ac' ^ 0) 


The precondition is true , while any set of final states ac' is acceptable. The resulting 
behaviour, constrained by AP, is established through the following Lemma L.6.4.3| 


Lemma L.6.4.3 AP (true b ac' ^ 0) = (true b s G ac' < s.wait > RAl (true)) 


The precondition is also true, while the postcondition has a conditional on s.wait. As 
is the case for every angelic process, when the process is waiting for the environment, 
and s.wait is true , the state is kept unchanged. Otherwise, the only guarantee is 
that there is a final state in ac' satisfying RAl. 

As previously discussed, the operator Choice ap is used to characterise algebra¬ 
ically the subset of angelic processes that are non-divergent. Therefore, it is closed 
under ND A p, and by definition, equally closed under AP. It is the counterpart to 
ChoicenAD of the theory of reactive angelic designs as established by the following 
Theorems IT. 6. 4.121 and IT. 6. 4.131 


Theorem T.6.4.12 H 1 ( Ghoice^xn ) = Choice ap 


Theorem T.6.4.13 RAl(Choice A p) = Choicen A n 


The result of Theorem T.6.4.13 follows directly from Theorem T.6.4.12 and the 


general result of Theorem T.6.3.3 
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6.4.5 Stop 

In this theory, deadlock is modelled by StopAP, whose definition is similar to that 
of the reactive angelic design StopRAD- 

Definition 136 Stop A p = AP (true b (^f a ,(y.tr = s.tr A y.wait )) 


The precondition is true , while the postcondition states that there is a final state 
y in the set of final states ac! where the trace is kept unchanged and the process 
is always waiting for the environment. This definition can be directly obtained by 


applying HI to Stop-pAn as established by Theorem T.6.4.14 


Theorem T.6.4.14 HI^oprad) = StopAp 


Similarly, StoppAD can be obtained by applying RA1 to StopAp as established by 


the following Theorem T.6.4.15 


Theorem T.6.4.15 RAl(S'topAp) = ^°Prad 


This is expected since StopAP is a non-divergent angelic process, and so it is in direct 
correspondence with a reactive angelic design. 


6.4.6 Skip 

The process that always terminates successfully is characterised by Skip ap- Its 
definition as a design is presented below. 

Definition 137 Skip A p = AP (true b (e) y ,{y.tr = s.tr A -i y.wait )) 


The precondition is true , while the postcondition states that there is a final state y 
in ac' where the trace of events is kept unchanged and the component wait is false. 
Skip ap is in correspondence with SkipRAD of the theory of reactive angelic designs 


as established by the following Theorems T.6.4.16 and T.6.4.17 


Theorem T.6.4.16 HI^Atprad) = Skip A p 


Theorem T.6.4.17 RAI^/^pap) = SkipRAG 


These results are expected since Skip ap and SkipRAp, are both non-divergent pro¬ 


cesses. 
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6.4.7 Sequential Composition 

In our theory of angelic processes, the definition of sequential composition is also 
Wac from the theory of angelic designs. When we consider two angelic processes P 
and Q, the following closure result is obtained. 


Theorem T.6.4.18 


Provided P and Q are AP -healthy, 


P ■ 

?T>ac 


Q 


( -> (Pj ; A true ) A -i (RAl(P^) ; A (-> s.wait A RA2(<^))) \ 


AP 


f> M 


h 


\ RAl(Pj) ; A (s e ad < s.wait > RA2(-> Ql =>- RAl(Qj))) / 


This result is similar to that obtained in the theory of reactive angelic designs 


(Theorem T.5.4.21). The differences are in that RA1 is no longer applied to Pj 


and Qf, the negation of the preconditions of P and (). respectively. If P may 
diverge, then the result is the bottom of the lattice Chaos ap- Similarly, since the 
precondition of Q does not need to observe RAl, if Q diverges, then the sequential 
composition also behaves like Chaos AP once P has finished interacting with the 
environment. 

Thus, in our theory of angelic processes, ] Vac is a sequential composition operator 
that behaves differently to that of lCSPl in that it can back propagate the divergence 
of Q through P, irrespective of other interactions that happen in P, as long as, 
eventually the environment may terminate its interactions with P and behave as Q. 
We consider the following example Example [44} 


Example 44 ( Stop AP U AP Skip A p ) ,' Cac Chaos AP = Stop AP 


Proof. Lemma L.H.3.6 


□ 


In this case, the angel avoids the divergence of Chaos AP by resolving the choice in 
favour of deadlock. This is similar to the behaviour in the theory of reactive angelic 
designs, since Stop AP can prevent Chaos AP from ever being reached. 

In general, the result of applying RAl to the sequential composition of two re¬ 
active angelic designs P and 0 mapped through HI is not equivalent to sequentially 
composing these two processes in the theory of reactive angelic designs as established 


by Theorem T.6.4.19 










6.4. OPERATORS 


195 


Theorem T.6.4.19 Provided P and Q are reactive angelic designs. 


RA1(H1(P) ; Vac H1(<J)) C P , W Q 


This is because the possibility to diverge in P, in the theory of angelic processes, 
can lead to immediate divergence, as already discussed. Thus, when the sequen¬ 
tial composition of H1(P) and Hl(<5) is mapped back through RAl, there is a 
weakening. 

Similarly, the reverse mapping through HI of the sequential composition of two 
angelic processes P and Q mapped through RAl is also an inequality as established 


by Theorem T.6.4.20 


Theorem T.6.4.20 Provided P and Q are AP -healthy, 


H1(RA1(P) ; Vm RA1(Q)) 3 P Q 


This is due to the fact that the notion of divergence is different. In a sequential 
composition of P and the bottom of the lattice Chaos ap, the result is also Chaos ap- 


If we map Chaos ap through RAl the result is Chaos-^ ad (Theorem T.6.4.11), which 


when sequentially composed after the process RA1(P), still preserves the history 
of events in P, whereas the corresponding process in the theory of angelic processes 
does not. Hence, there is a strengthening. 

However, if we consider the subset of non-divergent reactive angelic designs, char¬ 
acterised by NDraDj then Theorem T.6.4.19] can be strengthened into an equality 


as established by Theorem T.6.4.21 


Theorem |T.6.4.21| Provided P and Q are reactive angelic designs and NDrad- 
healthy, 


RA1(H1(P) ; Vac H1(Q)) = P ; Vac Q 


In addition, the operator ] Vac is closed under ND AP as established by the follow¬ 


ing Theorem T.6.4.22 


Theorem T.6.4.22 Provided P and Q are angelic processes and NO j±p-healthy, 


NDap(P , Vac Q) — P , Vac Q 


Thus, as long as P and Q are non-divergent, ] Vac behaves exactly in the same way 
as in the theory of reactive angelic designs. By extension, this also applies to the 
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subset of A2 processes, which do not exhibit angelic nondeterminism. Therefore, it 
also applies to the subset of non-divergent ICSPI processes. 

6.4.8 Prefixing 

Similarly to the previous non-divergent processes, event prefixing has a definition 
similar to that of a -g RA d Skip^AD hr the theory of reactive angelic designs. 

Definition 138 


/ 


a -Gap SkipAP = AP 


true h (G? , 


V 


/ ( y.tr = s.tr A a ^ y.ref) \ 
<y.wait> 

\ ( y.tr = s.tr ^ (a)) 


\ 


The precondition is true , while the postcondition is exactly like that of the corres¬ 


ponding reactive angelic design a -Grad Skip^AD (Section 5.4.8). 

The event prefixing of both theories is in correspondence as established by the 


following Lemmas L.6.4.4 and L.6.4.5 


Lemma L.6.4.4 Hl(a -Grad Skip^An ) = a —>ap SkipAP 


Lemma L.6.4.5 RAl(o -Gap SkipAp) = cl Grad SkipRAD 


Similarly to the theory of reactive angelic designs, in general, the process a Gap P 
denotes the compound process a — s-ap SkipAp ',x>ac ?■> w h° se result as an angelic 


process is established by Theorem T.6.4.23 


Theorem T.6.4.23 Provided P is AP -healthy, 


a -G P 


( -i (3 y • -i y.wait A y.tr = s.tr ^ (a) A (RA2 o PBMH(Pj))[y/s]) ^ 
h 


AP 


f ( y.tr = s.tr A a ^ y.ref A y E ad) 


3 y 


\ 


<y.wait> 

\ ( y.tr = s.tr ^ (a) A RA2 o RA1 o PBMH(Pj)[y/s]) J 


This result is a counterpart to that of Theorem |T.5.4.29| The difference lies in the 
precondition of the design: the negation of the precondition of P is not necessarily 
required to observe RAl. In addition, the application of PBMH can be simplified 
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by taking into account that every AP-healthy process is also PBMH-healthy. 

In order to illustrate the behaviour of prefixing in the presence of divergence, we 


consider the following Example 45 


Example 45 a —»ap ChaosAP = ChaosAP 


Proof. Lemma L.H.3 


□ 


In this case, the potential for divergence after performing event a leads to imme¬ 
diate divergence. If instead we sequentially compose prefixing on the event a with 


CIwosCSPap, the behaviour is different as established by Lemma L.6.4.6 

Lemma IL.6.4.61 

a —^ap ChaosC'SP ap 

AP (-1 © y ac ,(s.tr ~ (a) < y.tr ) h (e) v ac ,(y.wait A y.tr = s.tr A a <£ y.ref )) 

This result mirrors the behaviour of a -Arad Chao ah of the theory of reactive 


angelic designs (Theorem T.G.8.8). 


We revisit Example [35l by restating it in the theory of angelic processes as Ex¬ 


ample 46 


Example 46 a -a-ap ChaosAP Uap b — s-ap Skip ap = b — s-ap Skip ap 


Proof. Lemma L.H.3.8 and Theorem T.6.4.9 


□ 


Now, in the context of the theory of angelic processes, the possibility for divergence 
is avoided altogether, and the result is the prefixing on the event b. As required, the 
angel can avoid processes that may lead to divergence altogether, a property that is 
not observed in the theory of reactive angelic designs. 


6.5 Final Considerations 

The motivation for the theory of angelic processes stems from the limitations of 
the angelic choice of reactive angelic designs, which is unable to avoid divergence 


completely, as in the case of Example 35 The possibility to avoid divergence is a 
desirable property that is much closer in spirit to the refinement calculus. In order 
to tackle this aspect, we have pursued a theory that drops RA1, and thus, is able 
to undo the history of events if necessary. The result is a theory of angelic designs, 
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whose pre and postconditions observe a subset of the healthiness conditions of the 
theory of reactive angelic designs, such as RA2 and PBMH. 

We have studied the relationship between the theories and established that there 
is a Galois connection between them. As illustrated in Figures LI and 1.6[ react¬ 
ive angelic designs can be mapped into this theory by turning them into designs, 
through HI, while angelic processes can be mapped in the opposite direction by 
applying RA1. We have found that the subset of non-divergent angelic processes, 
characterised by NDap, is isomorphic to the subset of non-divergent reactive angelic 
designs characterised by NDrad- Together with the linking results from Chapter [5] 
between RAD and lCSPl this implies that the subset of non- divergent 1C S Pi processes 
has exactly the same semantics in this model. 

Since every reactive angelic design can be mapped into the model of angelic pro¬ 
cesses and back, we can ascertain that there is a subset in AP that characterises 
all reactive angelic designs. This is essentially a subset whose negated precondi¬ 
tions satisfy RA1. If we consider the subset of RAD that is isomorphic to ICSPI 
(characterised by A2), it is possible to postulate that there is also a subset in AP 
characterising every ICSPI process. 

However, since we allow the history of events to be undone when ok is false, 
not all operators are necessarily in correspondence, as is the case, for example, with 
sequential composition. A parallel can be drawn in the theory of ICSPI where this 
problem corresponds to the possibility of characterising ICSPI processes as designs, 
rather than reactive designs. The difference between these two can clearly be seen 
from the fact that HI and R1 are not commutative. While such a theory of designs 
could possibly characterise ICSPI processes, this would mean that the definition of 
the operators would need to change in order to accommodate such a model, thus 
negating the benefits of unification in the IUTPI 






















Chapter 7 
Conclusions 


In this chapter we conclude this thesis by summarizing our contributions. In addi¬ 
tion, we discuss lines for future work. 


7.1 Contributions 

As previously discussed, angelic nondeterminism has been used in a variety of dif¬ 
ferent contexts, such as in problems whose solutions may involve a combination of 
search and backtracking. This is the case, for example, when modelling game-like 
scenarios, theorem-proving tactics, or constraint satisfaction problems. In general, 
angelic nondeterminism enables a great degree of abstraction in the context of formal 
models and specifications. Its characterisation in the context of process algebras, 
such as ICSPl however, has to the best of our knowledge, been elusive. The existing 
approaches have either considered notions of angelic nondeterminism ra different 
from that of refinement calculi, or different ICSPI semantics pf5j ]. 

Angelic nondeterminism has traditionally been studied in the context of theories 
of correctness for sequential computations, such as in the refinement calculus [29] 
ED 132], where it is characterised as the least upper bound of the lattice of monotonic 
predicate transformers. Isomorphic models include Rewitzky’s theory of binary 
multirelations [32], which is the foundation of our approach. 

Our first contribution in Chapter [3] is an extended model of binary multirelations 
that caters for possibly non-terminating computations. This model provides a com¬ 
plementary view of our theory of angelic designs, which allows for preconditions that 
refer to the later or final values of a computation, as required for characterising ICSPl 
processes. Unlike purely sequential computations, in a reactive system, there is a 
rich sequence of interactions, whose history cannot be undone even in the case of 
divergence, such as in the case of the process a —> Chaos. 
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Our work is based on the ItJTPI of Hoare and He [3SJ, a relational framework 
suitable for characterising different programming paradigms. As such, our results 
are applicable not only to ICSP1 but also to any other algebra of (state-rich) reactive 
systems whose semantics is or can be described in the ITJTPI Onr theories are 
complete lattices and angelic and demonic choice are modelled as the meet and 
join, respectively. Each and every one of them is appropriately justified by studying 
its relationship with the established theories, which is central to the unification of 
theories in the ITJTPI 

Our theory of angelic designs generalises the theory of Cavalcanti et al. [SB] to 
include the variables ok and ok' for capturing termination, ft caters for non-H3 
designs, as required for specifying ICSPI processes like Chaos , whose precondition, 
as a reactive design, refers to the after value of the trace of events. Its relationship 
with the theories of [38] and of extended binary multirelations sheds light on the 
definition of less trivial operators. Sequential composition, for instance, due to the 
use of non-homogeneous relations, is not relational composition like in other IUTPI 
theories. Apart from the relational characterisation of ok and ok', this suggests itself 
as a form of a Kleisli composition through the results established between the theory 
of angelic designs and binary multirelations, and its respective characterisation as 
the category of multirelations or multifunctions [78]. The result obtained for the 
sequential composition of angelic designs is pleasing, in that, using the operators 
Wac an d 'iai we h ave a definition similar to that in the original theory of designs. 

The theory of reactive angelic designs considers the encoding of the observational 
variables re/, tr and wait of ICSPI as state components. This enables angelic choice 
over the value of these components in final or after states. Rather pleasingly, like 
the processes in the theory of ICSPI pT?71 31], every RAD process can be specified 
in terms of designs, that is, pre and postcondition pairs, but now we use angelic 
designs. Unlike other attempts [18, J3j, our approach consists of a natural extension 
of the concept of angelic nondeterminism from a theory of sequential correctness to a 
model of processes. This approach is strongly justified by the relationship between 
the theories, their isomorphic subsets, and by the correspondence of operators in 
both theories. We have a theory of ICSPI that preserves its existing semantics and 
that can be used to describe both angelic and demonic nondeterminism. 

An important result obtained in the theory of reactive angelic designs pertains 
to the capability of the angel to avoid divergence. However, unlike in a theory of 
correctness for sequential computations, the history of interactions, as recorded by 
traces, cannot simply be undone, even in the presence of divergence. The healthiness 
condition RA1, the counterpart to R1 of ICSPI in the model of reactive angelic 
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designs, ensures that this is the case under all circumstances. 

Our final theory does not adopt RA1 as a healthiness condition and as such 
allows the angel to discard traces of events leading to divergence. It is a theory of 
angelic designs: a complete lattice whose bottom Chaos ap is not the Chaos of lCSPl 
It is a process that once executed behaves arbitrarily, and may even undo the history 
of interactions. More importantly, in an angelic choice involving other interactions, 
it becomes possible for the angel to undo the history of events, if necessary, and 
avoid divergence. This is a property much closer in spirit to the angelic choice of 
the refinement calculus. 

As a consequence not every operator preserves the original semantics of ICSP1 
That is the case of the sequential composition operator, for instance. However, the 
subset of non-divergent angelic processes is isomorphic to the subset of non-divergent 
reactive angelic designs. Moreover, each of the operators studied is closed within 
this subset. 

In summary, we have two closely related theories for characterising angelic non¬ 
determinism in ICSPI whose algebraic properties are clearly distinct. The theory 
of reactive angelic designs is a natural extension of lCSPl where the angelic choice 
cannot undo the history of events, but which preserves the semantics of lCSPl On 
the other hand, the theory of angelic processes possesses algebraic properties closer 
to those of the refinement calculus, but does not necessarily preserve the semantics 
of all ICSPI processes. Nevertheless, the semantics of the subset of non-divergent 
processes is maintained, and so our initial hypothesis is satisfied. 


7.2 Future Work 

The work presented in this thesis lays the foundation for the complete development 
of process algebras with angelic nondeterminism in the wider context of state-rich re¬ 
active systems. Our approach has focused mainly on ICSPI however due to the IUTPI 
basis of our work, our results are equally applicable to other process calculi, in¬ 
cluding, for example, Circus , which is a combination of ICSPI and Z, and whose 
semantics [22] is also given using the IUTPI Depending on the desired properties 
of the algebra, a future approach to incorporating our results in Circus needs to 
consider the implications of the treatment of divergence, which in the case of our 
model of angelic processes, is rather different from the ICSPI theory. 

A practical application of angelic nondeterminism in Circus can be found, for 
instance, in the modelling strategy of 1221, which uses Circus Time , a timed version 
of Circus. Therefore, an interesting avenue for future work includes studying the 
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role of angelic nondeterminism in timed versions of process calculi, such as Timed 
CSP [HOj and Circus Time [50 1IT5HTT] . A concern that is likely to surface is whether 
the angel should be allowed to change time in order to avoid divergence, an issue 
similar to the problem posed by RAl. Such a construction would enable angelic 
nondeterminism to be employed as a specification abstraction in a theory that also 
includes time. 

While we have studied a number of ICSPI operators, a complete theory of angelic 
nondeterminism for ICSPI requires other important operators to be considered, such 
as hiding and parallel composition. Recursion can be treated in a similar way to 
other lUTPI theories as the weakest fixed point. For many of these, the use of our 
lifting operator (&f , is likely to be useful and give rise to definitions similar to those 
in the original theory of lCSPl however, some operators, such as parallel composition, 
require further work. For instance, in the 1CSPl theory, parallel composition is defined 
using the parallel by merge technique [39J which, in the context of our theory, 
requires further support for renaming and changing the fields of records. 

Furthermore, the algebraic properties of many of the operators have yet to be 
fully explored. For example, in the case of the external choice operator, there are 
other alternative and plausible definitions that preserve the ICSPI semantics, whose 
algebraic properties, in the context of processes with angelic nondeterminism, are 
different. In the case of hiding, and similarly to the case of sequential composition, 
we hypothesize that angelic choice is likely not to be distributive, however future 
work is necessary in order to propose and establish further laws. A related, and 
interesting, path for future work is the study of the encoding of additional healthiness 
conditions [3D, 01] of ICSPI and whether the addition of angelic choice may be needed 
to enable or simplify the algebraic specification of these. 

Even in the context of the theory of angelic designs there is a wide scope for 
further work. While we have established links between that theory, the extended 
model of binary multirelations and the PBMH theory, it would also be beneficial 
to have a direct link with the weakest precondition model. The model of extended 
binary multirelations is also ameanable to further study. For instance, recently 
Guttmann [hhl has proposed a model of binary multirelations in the context of 
general correctness. A link could be established with this theory, and perhaps, with 
other models of binary multirelations [3Bj. The links with the BMFR theory open 
the door for our theories to be studied in the context of multirelations. 

From a practitioner’s point of view a theory becomes significantly more useful 
once there is a toolkit. There may be different approaches for tackling this aspect. 
For instance, one approach could involve the mechanisation of our theories using a 
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theorem prover, which would not only help practitioners, but also help further val¬ 
idate our theories, proofs and examples. Approaches for mechanising lUTPl theories 
include those of Foster et al. [ST] and Fcliachi et al. [82] using Isabelle/HOL, Zeyda 
et al. [S3] and Oliveira et al. |22| using ProofPower/Z, and others [EHIB5]- Particular 
issues that would need to be considered include reasoning about families of theories 
and encoding record types, with the capability to change and rename fields as well 
as type check them, as required to appropriately model sets of final states. 

Finally, since the concept of angelic nondeterminism has been used in a vari¬ 
ety of different contexts, it would be useful to conduct case studies. For example, 
in m angelic nondeterminism is employed to facilitate the faithful characterisation 
of idealised time models of control systems using Circus Time. In that context, the 
specification models are constructed from Simulink counterparts which, embody a 
notion of infinitely fast computations, while the respective implementation mod¬ 
els capture the constraints of actual real-time computers. The link between these 
two is established through an assertion that requires the values output by the im¬ 
plementation to be in agreement with the values of the simulation model. Angelic 
nondeterminism is employed as an abstract specification mechanism, which, through 
back propagation enforces the correct choices in the model. A necessary prerequis¬ 
ite for such a case study is the treatment of parallel composition which features 
prominently. 

We envision that many problems that have traditionally been tackled using an¬ 
gelic nondeterminism could be just as easily modelled using our theories, with the 
added benefit that they can be modelled in the context of process algebras. It re¬ 
mains to be seen how the inclusion of angelic nondeterminism can be fully exploited 
in the development of refinement strategies for the formal specification and verific¬ 
ation of complex state-rich reactive systems. An example to be considered is the 
refinement of a specification with angelic nondeterminism to an algorithm which 
uses explicit backtracking. Related to this construction is the relationship between 
our theories and that of concurrent logic programming [315], which has yet to be 
explored. 

In summary, we have now presented the first extension of ICSPI that includes a 
notion of angelic nondeterminism compatible with that of refinement calculi. It is 
a solid foundation for the extension of state-rich process algebra for refinement. As 
such, it provides a basis for further work on theory, so as to explore the algebra, 
techniques, and applications. 
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Appendix A 


UTP: Relations, Designs and CSP 

A.l Theory of Relations 

A. 1.1 Conditional 

Lemma L.A.1.1 P <3 c > (Q =>- R) = (true < c > Q) => (P < c > R) 

Proof. 

P < c > (Q => R) {Predicate calculus} 

= (false V P) <3 c > (i Q V R) {Property of conditional} 

= (false < c t> -i Q) V (P <3 c > i?) 

{Predicate calculus and property of conditional} 

= (true < c > Q) ^ (P < c > R) 


□ 


Lemma L.A.1.2 Provided ac! is not free in c, 
(P < c> Q) ; a R= (.P ; A R)<c>(Q ; A R) 


Proof. 


{Definition of conditional} 
{Distributivity of \ A (Lemma 


L.F.1.4)} 


(P < c> Q) ; A R 
= ((c A P) V (-i c A Q)) R 
= ((c A P ) 72) V ((-i c A Q) ] A R) {Distributivity of ] A (Lemma L.F.1.5)} 

= (( c u R ) A ( P \a R )) V c \a R ) A (*5 u ^)) 


{aP not free in c (Lemma L.F.1.1)} 
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— (c A (P R )) V (-1 c A (Q ] A R )) {Definition of conditional} 

= {P ] A R)<c>(Q] a R) 


□ 


Lemma L.A.1.3 


(P < c > Q) = (—ii P <\ c > — i Q) 


Proof. 


—> (P <} c [> Q) 

= —i ((c A P) V (i c A Q )) 

= (~i c V ~i P ) A (c V -1 <5) 

= ( — i c A c) V ( — i c A Q) V (~i P A c) V (~i P A ~' 

= ( — i c A — i Q) V ( — i P A c) V (“i P A - 1 Q) 

= ( — i c A — i Q) V (~i P A (c V -i <5)) 

= ( — i c V ( — i P A (c V — i Q))) A (—< Q V (—< P A (c V 

— (—i c V —i P) A(-icVcV-iQ)A(iQVi P) A 


Q) 


= (i c V i P) A ( — i c V c) A ( — i Q V — i P) A ( — i Q V c) 


= (c A -i P) V (-. c A 
= (-i P) < c > (-■ Q) 


Q ) 


{Definition of conditional} 
{Predicate calculus} 
{Predicate calculus} 
{Predicate calculus} 
{Predicate calculus} 
{Predicate calculus} 
Q))) {Predicate calculus} 
>QVc) 

{Predicate calculus} 
{Predicate calculus} 
{Definition of conditional} 


□ 


Lemma L.A.1.4 P < c > (Q V P) = (P < c > <5) V (P < c > R) 

Proof. 

P < c > (Q V R) {Definition of conditional} 

= (c A P) V (-i c A (Q V R)) {Predicate calculus} 

= (c A P) V (-■ c A Q) V (-■ c A P) {Predicate calculus} 

= (c A P) V (-i c A Q) V (c A P) V (-< c A R) {Definition of conditional} 

= (P < c > Q) V (P <1 c> R) 


□ 


Lemma L.A.1.5 -> (false < c> Q) = true <3 c> Q 
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Proof. 

-i (false <\ c\> Q) {Lemma IL.A.1.31} 

= (true < c t> -i Q) 


□ 


Lemma L.A.1.6 -> (true < c > Q) — false < c> -> Q 

Proof. 

-i (true <3 c > Q) {Lemma IL. A. 1.51} 

= -i -i (false < c > -i Q) {Predicate calculus} 

= false <\ c\> ^ Q 

□ 


A.1.2 Predicate Calculus 
Lemma L.A.1.7 (P A Q)aaP = P=aQ 
Proof. 

{Predicate calculus} 
{Predicate calculus} 
{Predicate calculus} 


(P A Q) AA P 

= ((.P A Q) =A P) A (P => (P A Q)) 
= (P^(PAQ)) 

= P^Q 


□ 

Lemma L.A.1.8 (P V Q) AA (P V R) = P \/ (Q AA R) 

Proof. 

(P V <5) AA (P V P) {Predicate calculus} 

= ((P V <J) =>• (P V P)) A ((P V P) =>- (P V (J)) {Predicate calculus} 

= (p^(pv P)) a (g =► (P v P)) a (p^(pv Q)) a(Pa(pv g)) 

{Predicate calculus} 

= (g => (P V P)) A (P=^> (P V g)) {Predicate calculus} 

= (-i Q V P V P) A (-i P V P V g) {Predicate calculus} 
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= FV ((-■ Q V R) A (-1 R V Q )) {Predicate calculus} 

= P V (Q<*R) 


□ 


A.2 Theory of Designs 

A.2.1 Healthiness Conditions 

HI 

Lemma L.A.2.1 H1(P < c > Q) = H1(P) < c > Hl(<5) 

Proof. 

Hl(P)<c>Hl(Q) {Definition of HI} 

= (-i ok V P) < c > (-i ofc V Q) {Property of conditional} 

= (-i ofc <3 c > -i ofc) V (.P < s.wait > Q) {Property of conditional} 

= -i ok V (P < s.wait > Q) {Definition of HI} 

= H1(P <1 s.wait > Q ) 


□ 


Lemma L.A.2.2 H1(P A Q) = H1(P) A H1(Q) 

Proof. 

{Definition of HI} 
{Predicate calculus} 
{Definition of HI} 


H1(P A Q) 

= ok (P A Q) 

= (ok => P) A (o/c Q ) 

= H1(P) AH1(Q) 


□ 


Lemma L.A.2.3 H1(P V Q) = H1(P) V H1(Q) 

Proof. 

{Definition of HI} 
{Predicate calculus} 


H1(P V Q) 

= ok (P V Q ) 
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(ok => P) V (ofc => <5) 
H1(P) VH1(Q) 


{Definition of Hi} 


□ 


H2 

Definition 139 H2A(P) A pf => (p l /\ 0 k') 

Lemma L.A.2.4 (H2A AA H2) The definition of H2A implies that the fixed 
points are the same as those of H2, 

Proof for implication. The following proof is based on [Ej . 

P {Introduce fresh variable and substitution} 

= 3 oho • P A ok' = ok® {Case-split on ok®} 

= (-■ ok' A pf) V (ok' A P*) {Assumption: P is H2-healthy} 

= (-■ ok' A pf A Pfi V (ok' A P ') {Propositional calculus} 

= (((-i ok! A pf) V ok') A P') {Propositional calculus} 

= ((pf V ok!) A P f ) {Propositional calculus} 


(P f A P') V (ok' A P l ) 
Pf V (ok' A P l ) 

^P f => (P t A ok') 


{Assumption: P is H2-healthy} 
{Propositional calculus} 


□ 


Proof for reverse implication. 


[(H2A(P)) / => (H2A(P)) 4 ] 

= [(-, pf => (P t a ok')) f =>(-^pf => ( P l A ok')) 1 ] 
= [(pf =>(-npf => Pfi] 

= [-. P f V P f V P l ] 


{Propositional calculus} 
{Propositional calculus} 


{Definition of H2A} 


{Substitution} 


= true 


□ 


A. 2.2 Lemmas 

Lemma L.A.2.5 Provided ok A P and ok' is not free in P, (P b Qfi = Q. 
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Proof. As stated and proved in [BE] (Lemma 4.2). □ 

Lemma L.A.2.6 Provided ok' is not free in P, ok A -> (P b Q)f = ok A P. 

Proof. As stated and proved in [SB] (Lemma 4.3). □ 

Lemma L.A.2.7 3 ok' • (P h Q) = ( ok A P) =>• Q 


Proof. 


3 ok' • (P h Q) 

= 3 ok' • (ok A P) =>■ (Q A ok') 
= ((ok A P) =>■ Q) V -> (ok A P) 
= (ok A P) => Q 


{Definition of design} 
{Case-split on ok'} 
{Propositional calculus} 


Lemma L.A.2.8 


(- P f h P 4 ) U (-. Q f h Q*) 


□ 


(-. P f V Q f h (-. P f =A P l ) A (-. Q f => Q 4 )) 


Proof. 

(-i pf h P 4 ) U (—■ |— Q*) {Definition of design} 

= ((ok A -i P^) =>■ (P 4 A ok')) 13 ((ok A -> Qf) (Q* A ok')) {Definition of 3} 

= ((ok A -> pf) =,- (P* A ofc 7 )) A ((ok A ^ Q f ) => (Q* A ok')) 

{Propositional calculus} 

= ok => ((P* A ok') V pf) A ((Q l A ok') V Qf) {Propositional calculus} 

= ok => (P t V P 7 ) A (oP V Pf) A (Q t V Qf) A (ok' V Q f ) 

{Propositional calculus} 

= 0 jfc => (P t V Pf) A (Q l V Qf) A (ok' V (Pf A Qf)) 

{Propositional calculus: absorption law} 

= ok => ((Pf A Q f ) VP‘V P f ) A ((P f A Q f ) V Q t V Qf) A (ok' V (P 7 A Q^) 

{Propositional calculus} 

= ofc =>• (pf A Qf) V ((P* V pf) A (Q { V Qf) A oP) {Propositional calculus} 
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= (ok A -i (P 7 A <2 7 )) =► ((-. P f => P 4 ) A (-. Q f => Q*) A ok') 


{Definition of design} 


= ( — i pf V — i Qf P ( — i =>■ P 4 ) A (“i Qf => Q t )) 


□ 


Lemma L.A.2.9 Provided P and Q are designs, 
3 ok' • (P A Q) — (3 ok' • P) A (3 oP • Q) 


Proof. 

(3 ok' • P) A (3 oP • Q) {Assumption: P and Q are designs} 

= (3 ok' • (-. P f P P 4 )) A (3 ok' •(~iQ f P Q 4 )) {Lemma EMU} 

= ((ofc A -i P 7 ) =>- P 4 ) A ((ok A -i Qf) =>• Q 4 ) {Propositional calculus} 

= (ok => (P 4 V P 7 )) A (ok ^ (Q f V (J 7 )) {Propositional calculus} 

= ofc ((P 4 V P^) A (Q* V Q 7 )) {Propositional calculus: absorption law} 

= ofc => (((p/ A Q f ) V P 4 V P 7 ) A ((P 7 A Q f ) V Q l V Q 7 )) 

{Propositional calculus} 

= ofc =>• ((P 7 A Q 7 ) V ((P 4 V P 7 ) A (Q 4 V <5 7 ))) {Propositional calculus} 

= (ok A “i (pf A (J 7 )) =>• ((“ 1 pf =r- P 4 ) A (“i Qf => Q 4 )) {Lemma IL.A.2.71} 

= 3 oP • (-. (P 7 A Q f ) P (-. P 7 => P 4 ) A (-. Q f => Q')) 

{Conjunction of designs} 

= 3 oP • (-i pf P P 4 ) A (-■ (J 7 P f? f ) {Assumption: P and Q are designs} 

= 3 ok' • (P A Q) 


□ 


Lemma L.A.2.10 

(- P f P P 4 ) U (-. Qf P Q l ) 

(-> P 7 V -> g 7 h (P 7 A Q 4 ) V (P 4 A Qf) V (P 4 A Q 4 )) 


Proof. 

(- P 7 P P 4 ) U (-. Q f P Q l ) 


{Conjunction of designs} 
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= (-1 pf V -> Qf \- (-1 pf => P 4 ) A (-i Qf => Q 1 )) {Propositional calculus} 

= (-i P 7 V -■ Q f b (P 7 V P 4 ) A (Q f V Q 4 )) {Predicate calculus} 

= (-. (P 7 A Q f ) b (P 7 A Q f ) V (P 7 A Q*) V (P 4 A Q f ) V (P 4 A Q 1 )) 

{Definition of design} 

/ (ok A -i (P 7 A g 7 )) \ 

V (((P 7 A Qf) V (P 7 A QQ V (P 4 A QQ V (P 4 A g 4 )) A oP) ) 

{Predicate calculus} 

/ (oifc A -i (Pf A Qf) A (-. (P 7 A Qf) V -i oP)) \ 

= 

V (((P 7 A g 4 ) V (P 4 A Qf) V (P 4 A g 4 )) A op) 

{Predicate calculus: absorption law} 

= (ok a -i (p f a g 7 )) => (((p 7 a g 4 ) v (p 4 a Qf) v (p 4 a g 4 )) a 0 p) 

{Definition of design} 

= (-■ (Pf A g 7 ) b (P 7 A g 4 ) V (P 4 A Qf) V (P 4 A g 4 )) {Predicate calculus} 

= (-. p f v Q f b (p 7 a g 4 ) V (P 4 A Q f ) V (P 4 A g 4 )) 

□ 


Lemma L.A.2.11 (P b Q)f — ok =>• -> Pf 


Proof. 

(P H qY 

= ((ok A P) => (g A op)) 7 
= ((ofc A pf) => (Qf A false)) 
= (oifc A P 7 ) 

= ok -1 pf 


{Definition of design} 
{Substitution} 
{Predicate calculus} 
{Predicate calculus} 


□ 


Lemma L.A.2.12 (P b g ) 4 = (ofc A P 4 ) =>■ g 4 
Proof. 

(p b g ) 4 

= ((oifc A P) => (g A op)) 4 


{Definition of design} 
{Substitution} 
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= ((ok A P 4 ) =» (Q t A true)) {Predicate calculus} 

= (ok A P 4 ) =► Q l 


Lemma L.A.2.13 ok A -> 3 ac' • (P h Q) f = ok A “i 3 ac' • * Pi 


□ 


Proof. 

ok A -i 3 ac' • (P b (j/ 

= ofc A -i 3 ac' • (ofc =4- -i pi) 

— —< ( — i ok V 3 ac' • (ofc =>• — i P^)) 
= —i 3 ac' • (“i ok V (ofc =>• * P'0) 
= -i 3 ac' • (-i ok V -i P-^) 

= -i (-i ok V 3 ac' • -i P^) 

= (ofc V -i 3 ac' • -i pi) 

— ok A -i 3 ac' ® * pi 


{Lemma IL.A.2.111 } 
{Predicate calculus} 
{Predicate calculus} 
{Predicate calculus} 
{Predicate calculus} 
{Predicate calculus} 
{Predicate calculus} 


□ 


Lemma L.A.2.14 Provided ok is not free in P and Q, 


«p h <?)' h (f h Qf) = (p h g) 


Proof. 

((P h Q) s h (P h C?) 4 ) 
= (Ph(PhQ) 4 ) 

= (^£) 


{Lemma IL A.2.61} 
{Lemma IL.A.2.51} 


□ 


Lemma L.A.2.15 Provided ok' is not free in P and Q, 

(-. 3 ac' • (P h Q) f h (P h Q) 4 ) = (n 3ac'.^PhQ) 


{Definition of design and Lemma LA.2.13} 


Proof. 

(- 3 ac' • (P h Q) f h (P h Q) 4 ) 
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- 3 ac' • -i pf h (P h QY) 

{Assumption: ok' is not free in P} 

3 fl(/ • -i P |- (P h Q)*) 

{Lemma |L. A. 2. 121} 

-i 3 ac' • —i P b (ok A P') => Q 4 ) 

{Assumption: ok' not free in P and Qf\ 

* 3 ac • — i P b (ok A P) =>■ Q) 



{Definition of design and predicate calculus} 

~i 3 ac • n P h P Q) 

{Predicate calculus} 

~i 3 ac' • “i P b ( — i P A (3 ac 4 • ~< 

P)) V Q) 


{Definition of design and predicate calculus} 

~i 3 ab • “i P b Q) 



□ 


Lemma L.A.2.16 Provided ok' is not free in P and Q, 

h (p I- Q) l f <?)}) = (Pf I- Qt) 

Proof. 

(-■ (P b Q)j, b (P b Q)j) {Definition of design} 

= (-1 ((ok A P) =>■ (Q A ok')Yj b ((o& A P) ^ (Q A ok'))j) {Substitution} 

= (-i ((ofc A P/) =$■ (Qf A false)) b ((ok A Pf) => (Qf A true))) 

{Predicate calculus} 

= (ok A Pf b ((ok A Pf) =A Qf)) {Definition of design} 

= (Pf b ((ok A Pf) =>• Qf)) {Definition of design and predicate calculus} 

= (Pf i- Qf) 


□ 


A.3 Theory of CSP 

A.3.1 Operators 

Lemma L.A.3.1 Tr Dr SkipR = SkipR 

Proof. 


Tr Or SkipR 


{Definition of T R and SkipR} 
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R (true b false ) Dr R (true I —' wait 1 A tr' = tr) 
/ trne A true 


{Definition of Dr} 


R 


\ 


b 


R 


\ (false A -■ wait' A tr' = tr) <\ tr' = tr A wait' > (false V (-1 wait' A tr' = tr)) / 

{Predicate calculus} 

/ true \ 

b 

\ false <3 tr' = tr A watt' > (-1 watt' A tr' = tr) ) 

{Definition of conditional and predicate calculus} 

/ true \ 


R 


R 


b 

y -i (tr 1 = tr A wait') A (-1 wait' A tr' = tr) ) 

( true \ 

b 


\ {tr' ^ tr\/ wait') A (-> wait' A tr' = tr) ) 
R {true I —1 wait' A tr' = tr) 


{Predicate calculus} 


{Predicate calculus} 


{Definition of Skipu} 


□ 


Lemma L. A.3.2 Provided P is a CSP process, 
P Dr Stopu = P 


Proof. 


P Dr Stop R 

( R(-i pj b Pj) 


□ 


R 


{Assumption: P is a ICSPI process and definition of Stopu} 

\ 

{Definition of Dr} 


\ R {true b wait' A tr' = tr) ) 


R 


\ 


/ true A -1 Pj 
b 

\ {Pj A wait' A tr' — tr) < tr' = tr A wait' > {Pj V {wait' A tr' = tr)) J 

{Definition of conditional and predicate calculus} 
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/-p', 


R 


R 


R 


R 


\ 


h 


/ (Pf A tr' = tr A wait') 


\ 


V 


( tr' f tr A (Pf V (wait' A tr' = tr))) 

V 

\ (-1 waz't' A (Pf V (u>azt' A tr' = tr))) ) 

\ 


{Predicate calculus} 


t-pf 

h 


( (Pf A tr' = tr A wait') \ 

V 

(tr' f tr A Pf) 

V 

\ (-■ wait' A Pf) ) 


{Predicate calculus} 




V 

r-p’, \ 

h 

\ (Pf A ((tr' = tr A wait') V tr' f tr V -i wait')) ) 

t-p‘, \ 

h 


{Predicate calculus} 


{Predicate calculus} 


\ (Pf A ((tr' = tr A wait') V -i (tr' = tr A wait'))) ) 

{Assumption: P is a ICSPI process} 


R(-i Pf b Pf 


= P 


O 


Lemma L.A.3.3 


a —Stop-R = R (true b wait' A ((a ^ ref A tr' = tr) V (tr' = tr ^ (a)))) 


Proof. 

{Definition of event prefixing} 
{Definition of event prefixing and Stop} 

tr A a (f ref) <3 wait' > (tr 1 — tr^ (a))) ; R (true b tr' = tr A wait' 

{Definition of sequential composition} 


a -> R Stop R 
— a -A- Skip ; Stop 
= ^ R (true P (tr’ = 
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/ 


= R 


V 

/ 


= R 


V 

/ 


= R 


V 

/ 


= R 


V 

/ 


= R 


V 

/ 


= R 


V 


( -i (Rl(-i true) ; R1 (true)) ^ 

A 

y -■ (Rl ((tr' = tr A a £ ref) < wait' > ( tr' — tr ^ (a))) A -> wait' ; Rl(-i true)) ) 

h 

Rl((tr' = tr A a ^ re/') <1 waff > (tr' — tr ^ (a))) ; (II <1 waff > Rl (tr' — tr A waff 

{Predicate calculus and definition of Rl} 

/ -i (false ; Rl (true)) \ 

A 

y -i (Rl ((tr' = tr A a ^ ref) < wait' > (tr' — tr ^ (a))) A -< wait' ; false) ) 

h 

Rl((tr' = tr A a ^ ref) < waff > (tr' — tr ^ (a))) ; (II < waft > Rl (tr' = tr A waff 

{Definition of sequential composition} 

(-i false A false) 

h 

Rl ((tr' = tr A a ^ re/') <1 waff > (tr' — tr ^ (a))) ; (II <1 waft > Rl (tr' = tr A waff 

{Predicate calculus} 


true 


h 

Rl((tr' = tr A a ^ re/') <1 waff > (tr' = tr ^ (a))) ; (II <1 waft > Rl (tr' = tr A wait' 

{Predicates are Rl-healthy} 


true 

h 

/ (tr' = tr A a f: ref) \ 
<lwaft'l> 

y (tr' = tr ^ (a)) / 


\ 


(II < wait > tr' 


tr A waft') J 

{Definition of conditional} 


true 


h 

f (wait' A tr' = tr A a fi ref) \ 
V 

y (-■ wait' A tr' = tr ^ (a)) ) 


; (wait A II) V (-■ wait A tr' 


\ 


tr A wait') 


) 


{Distribntivity of sequential composition} 
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( true 

h 


R 


R 


R 


R 


R 


\ 


V 


( (wait' A tr' = tr A a f: ref) 

) ; (wait A II) 

V 


(-i waft' A tr' = tr ^ (a)) ; 

(wait A II) 

V 


(wait' A tr' = tr A a f: ref) 

1 ; (-■ wait A tr' 

V 


^ (-■ waft' A tr' = tr ^ (a)) ; 

(-1 wait A tr' = 


\ 


) 

{Property of sequential composition} 


\ 




( true 

h 

/ ( wait' A tr' = tr A a <£ ref) ; (wait A II) 

V 

\ (-1 wait' A tr' = tr ^ (a)) ; (-< wait A tr' = tr A wait') ) 

{Definition of sequential composition} 

/ true 

h 

/ (3 waif, ref, tr 0 • waif A tr 0 = tr A a ref 0 A waft 0 A Il[waft 0 , ref, tr 0 /wait, ref, tr] 

V 

\ (3 waif, ref, tro • -> wafto A tro = tr ^ (a) A -i wafto A tr' = tro A waft') 

{One-point rule} 

/ trite \ 

h 

/ (3 re/o • a £ ref A II [true, ref, tr/wait, ref, tr] \ 

V 

y (tr' = tr ^ (a) A wait') 


) 


( true 

h 

/ (3 ref • a ref A re/' = ref A waft' A tr' — tr \ 
V 

\ \ (tr' — tr ^ (a) A wait') ) 


) 


\ 


{Definition of II} 


{One-point rule} 
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R ( (a ^ re/' A wait' A tr' — tr) \ j 
V 

y \ (tr' — tr ^ (a) A wait') ) ) 

R (true b waif' A ((a ^ re/' A tr' = tr) V (tr' — tr ^ (a)))) 


{Predicate calculus} 


Lemma L.A.3.4 

/ trrte 

a — Choice^ = R b 

y (tr 1 = tr A a ^ re/' A wait') V (tr ^ (a) < tr') 


Proof. 


a — )-r Choice r {Definition of prefixing} 

= (« —>r Skipn) ; ^Choice r {Definition of prefixing and Choice } 

/ R(true b (tr' = tr A a ^ re/') < waft' > (tr' = tr ^ (a))) \ 

\ R(true b trite) / 


{Definition of sequential composition} 


(Rl(-> true) ; Rl( true)) 


(Rl((fr' = tr A a ref) < wait' > (tr' — tr ^ (a))) A -i waft' ; Rl(-i true)) 


Rl((tr' = tr A a ^ ref) < wait' > (tr' = tr ^ (a))) ; (II < wait > Rl( true)) 

{Predicate calculus} 

^ -i (Rl(/atse) ; Rl(true)) 

A 

y -i (R1 ((tr' = tr A a ^ ref) <1 waft' > (tr' = tr ^ (a))) A -i wait 1 ; R1 (false)) 
b 

Rl((tr' = tr A a ^ re/') <1 waft' > (tr' — tr ^ (a))) ; (II <1 waft > Rl( true)) 

{Property of sequential composition} 
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R 


R 


R 


R 


R 


R 


/ -i false A -i false \ 

b 

y R1 ((tr' = tr A a ^ ref) < waif > ( tr' — tr ^ (a))) ; (II < wait > Rl(frue)) / 

{Predicate calculus} 

/ true \ 

b 

y Rl((tr' = tr A a ^ re/') <1 waif > ( tr' = tr ^ (a))) ; (II < wait > R1 (true)) ) 

{Definition of R1 and predicate is Rl-healthy} 

/ true \ 

b 

\ (( tr ' = tr A a ^ re/') <1 waif > ( tr ' = tr ^ (a))) ; (II <1 wait > tr < tr') / 

{Definition of conditional and predicate calculus} 

/ true \ 

b 


V 


/ (wait' A tr’ = tr A a ^ ref) \ 


/ (wait A II) \ 


V 

5 

V 


y (-■ waif A tr' = tr ^ (a)) ) 


\ (-i wait A tr < tr') ) 

/ 


/ true 
b 


{Relational calculus} 

\ 


V 


(wait' A tr' = tr A a ^ re/'( 

) ; (wait A II) 

\ 

V 



(wait' A tr' = tr A a ref) 

1 ; (-■ wait A tr < tr') 


V 



(-i waif A fr' = tr ^ (a)) ; 

(wait A II) 


V 



(-■ wait' A tr' = tr ^ (a)) ; 

(-■ waif A tr < tr') 

/ 


) 

{Property of sequential composition} 


/ true 
b 

(wait' A tr' = tr A a ref) ; (wait A II) \ 

V 

\ \ (-i waif A tr 1 = tr ^ (a)) ; (-< wait A tr < tr') ) ) 

{Definition of sequential composition} 



A.3. THEORY OF CSP 


221 


/ true 
b 


R 


\ 


/ 


3 waito, tr 0 , ref 


V 


wait 0 A tro = tr A a ^ ref A waiio 
A II [waff), re/o, tro/wait, ref, tr] 


\ 


/ 


R 


y (3 waito, tro, re/o • -l waito A tro — tr^ (a) A -> waito A tro < tr') J 

{One-point rule and definition of II} 

/ true \ 

b 

y (tr' = tr A a ref A waff) V (tr ^ (a) < tr') J 


□ 


Lemma L.A.3.5 

a —>r Chaos-R = R(-> (tr ^ (a) < tr') b wait' A tr' = tr A a ^ ref) 


Proof. 


a —j-r Chaos-R, {Definition of prefixing} 

= a —^r SkipR ; R (false b true) {Definition of prefixing} 

= R(true b (tr' = tr A a ^ ref) <1 waff > (tr' — tr ^ (a))) ; R(/atse b true) 

{Definition of sequence} 

/ / -i (Rl(-i true) ; Rl( true)) \ 


R 


R 


A 

V - (Ri((^ = tr A a ^ ref) < waff > (tr' — tr ^ (a))) A -> wait' ; Rl(-> false)) J 
b 

V Rl((f/ = tr A a ref') < waff > (tr' = tr ^ (a))) ; (II < wait > R1 (true)) 

{Predicate calculus} 

/ / -i (R1 (false) ; Rl( true)) \ \ 

A 

V - (Rl((fr' = tr A a ^ ref) <3 wait' > (tr' — tr ^ (a))) A wait’ ; Rl(true)) / 
b 

V Rlffi/ = tr A a ^ ref) <3 wait’ > (tr' — tr^ (a))) ; (II <1 wait > R1 (true)) J 

{Property of R1 and sequential composition} 
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R 


/ / -i false ^ 

A 

V - (Rl((*r / = tr A a ref) <3 wart' > ( tr' — tr ^ (a))) A -i wait' ; Rl( true)) / 
h 


V Rl((tr' = tr A a ^ re/') <1 waif > ( tr' — tr ^ (a))) ; (II <3 waff > Rl( true)) 

{Predicate calculus} 

/ (Rl(((/ = tr A a ^ re/') <1 waff' > ( tr ' = tr ^ (a))) A -< waft' ; Rl( true)) \ 

= R h 

V R1((<^ = tr A a ^ ref) <3 waft' > (tr' = tr ^ (a))) ; (II <3 wait > R1 (true)) ) 

{Predicates are Rl-healthy} 

( -• (((tr' = tr A a ^ ref') <3 wait' > (tr' = tr ^ (a))) A -i waft' ; Rl( true)) ^ 
h 

((tr' = tr A a ^ ref) <3 waft' > (tr' — tr ^ (a))) ; (II <3 waft > Rl( true)) / 

{Property of conditional} 

( -■ ((tr' — tr^~ (a) A wait') ; Rl( true)) ^ 

= R h 

\ ((tr' = tr A a ref) <3 waft' > (tr' = tr ^ (a))) ; (II <3 waft > Rl( true)) / 

{Definition of Rl( true)} 

( -i ((tr' = tr ^ (a) A-> wait') ; tr < tr') ^ 

= R h 

\ ((tr' = tr A a ^ re/') <1 waft' > (tr' = tr ^ (a))) ; (II <1 wait > tr < tr') / 

{Definition of conditional} 

/ -i ((tr' — tr^ (a) A-> wait') ; tr < tr') \ 

h 


R 

/ (waft' A tr' = tr A a ref) ^ 

/ (wait A II) \ 



v 

; v 



y \ (-i waft' A tr' = tr ^ (a)) j 

\ (-i waft A tr < tr') / 

/ 


{Relational calculus} 
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= R 


= R 


= R 


= R 


= R 


((tr' = tr ^ (a) A wait') ; tr < tr') ^ 

(wait' A tr' = tr A a ^ ref') ; (wait A II) \ 

V 

(wazt' A tr' = tr A a ^ re/') ; (-> waft A tr < tr') 

V 

(-■ waft' A tr' = tr ^ (a)) ; (wait A II) 

V 

(-■ waft' A tr' = tr ^ (a)) ; (-< waft A tr < tr') ) ) 

{Property of sequential composition} 

((tr' — tr ^ (a) A wait') ; tr < tr') ^ 

(wait' A tr' = tr A a ref) ; (wait A II) \ 

V 

(-■ waft' A tr' = tr ^ (a)) ; (-< waft A tr < tr') ) ) 

(Definition of sequential composition} 

(3 waif, fro, ref • fro — tr ^ (a) A -> waif A fro < tr') \ 


3 waif, tr 0 , ref • waft 0 A tr 0 = tr A a ^ ref A waif 
A II [wait o, fro, ref /wait, tr, ref] 


(3 waif, tr 0 , ref • -> waif A tr 0 — tr^ (a) A -> waif A tr 0 < tr') J J 

{Definition of II} 

(3 waif, fro, ref • fro — tr ^ (a) A-> waif A fro < tr') \ 


3 waif, fro, ref • waif A fro = tr A a ^ re/o A wafto 
A waif = waft' A fro = tr' A ref = ref 


(3 waif, tr 0 , ref • -> waif A tr 0 — tr^ (a) A -> waif A tr 0 < tr') J J 

{One-point rule} 

(tr ^ (a) < tr') \ 


(a ^ re/' A waft' A tr = tr') V (tr ^ (a) < tr') 


{Predicate calculus} 
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-i (tr ^ (a) < tr') 
h 

-i (tr ^ (a) < tr') A ((a £ ref A wait' A tr = tr') V (tr ^ (a) < tr')) 

{Predicate calculus} 

= R(-i (tr ^ (a) < tr') h (a ^ ref A wait 1 A tr = tr')) 

□ 




Appendix B 


Extended Binary Multirelations 


B.l Healthiness Conditions 


B.1.1 BMHO 


Definition 12 


BMH = Vs, ss 0 , ssi • ((s, ss 0 ) G B A ss 0 C ssi) =>- (s, ssi) G B 


Lemma L.3.2.1 
BMHO 

AA 

V s, SSo, ssi • 

((s, SSo) G 5 A SSo — ssi A _L G SSo A _L G ss^) =7* (s, ss^) G i? 
A 

y BMH 



Proof. 


BMHO 

V s : State, ssq, ssi : P States 


{Definition of BMHO} 




-vA 


((s, sso) G B A sso C ssi A (1 G sso 1 G ssi)) => (s, ssi) G B 

{Propositional calculus} 

\ 


/ V s : State , ss 0 , ssi : P State±_ • 

(s, sso) G B A sso C ssi 
\ 1 A ((_L G ss 0 A 1 G ssi) V (_!_ ^ ssi A _!_ <£ ss 0 )) 


=>■ (s, ssi) G B 
{Propositional calculus} 
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( V s : State, ss 0 , ssi : P State± • \ 

^ ((s, SSg) G B A SSg C 33 \ A _L G SSg A 1 G SSi) (s, SSi) 6 B j 








A 


^ ^ ((s, ss 0 ) G B A ss 0 C ssi A A. £ ss 0 A 1 ssi) (s, ssi) G B j ^ 

{Predicate calculus} 


/ /Vs: State, sso, ssi : P State _l • 

((s, SSg) G B A SSg C SSi A 1 G SSg A 1 G SSi) =>■ (s, SSi) G B 


\ 


A 


V s : State, ssg, ssi : P State± • 

\ y ((s, SSg) G B A SSg C SSi A 1 ^ SSg A 1 ^ SSi) =>■ (s, SSi) G B I ) 

{Predicate calculus: type restriction} 


/ /Vs: State, ssg, ssi : P State± • 

((s, SSg) G 5 A SSg C SSi A 1 G SSg A 1 G ssi) =>- (s, SSi) G 5 


\ 


A 


V s : State, ssg, ssi : P State • 

\ y ((s, ssg) G B A ss 0 C ssi) =>■ (s, ssi) G B J ) 

{Definition of BMH (Definition [12}} 


^ / V s : State, ssg, ssi : P State± • 

\ ((s, ssg) G B A sso C ssi A 1 G sso A 1 G ssi) =>■ (s, ssi) G B 
A 

y BMH 


\ 


□ 


Lemma L.B.1.1 Provided B is BMHO -healthy, 

( 3 s 0 : State, ss 0 , ssi : P State± 

• ((sg, SSg) G B A SSg C SSi A J_ G SSg A 1 G SSi) 

(3 Sg : State, ssi : P State j_ • (s 0 , ssi) G B A i G ssi) 


Proof. (Implication) 

( 3 sg : State, ssg, ssi : P State± 

• ((sg, SSg) G B A SSo C SSi A J_ G SSg A 1 G SSi) 

{Assumption: B is BMHO-healthy} 
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3 s 0 : State, ss 0 , ssi : P State± 

• ((so, sso) G B A sso C ssi A _L G sso A J_ G ssi A (so, ssi) G B ) 

{Propositional calculus} 

3 so : State, ssi : P State± • (_L G ssi A (sq, ssi) G B) 


□ 


Proof. (Reverse implication) 

3 s 0 : State, ssi : P State± • (1 G ssi A (s 0 , ssi) G B) 

{Propositional calculus: introduce fresh variable} 
3 so : State, ssq, ssi : P State ± • 

(J_ G SS\ A (so, ssi) G B A sso = ss^ A (so, sso) G B A J_ G sso) 

{Propositional calculus: weaken predicate} 

3 so : State, sso, ssi : P State ± • 

(J_ G ssi A (so, ssi) G 5 A ssq C ssi A (sq, ssq) GBAlG ssq) 




□ 


B.l.2 BMH1 

Lemma L.B.1.2 
BMH1 

V s : State, ss : P State± • (s, ss U {J_}) G B A 1 ^ ss ^ (s, ss) G B 


Proof. 


BMH1 

<S>Vs : State, ss : P State± 


<S>Vs : State, ss : P State± 


{Definition of BMH1} 
(s, ss U {J_}) G B =^- (s, ss) G B 

{Predicate calculus} 

( (s, ss U {-L}) GBA(lGssVl^ ss)) ^ 

\ ( s , ss) e B ) 

{Predicate calculus} 
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•vv- V s : State, ss : P State± 


•vv- V s : State, ss : P State±_ 


<^>Vs: State, ss : P State± 


/ ((s, ss U {-L}) G 5 A 1 G ss) =>- (s, ss) G 5 ^ 

A 

\ ((s, ss U {_!_}) G B A 1 ^ ss) =>- (s, ss) G B ) 

{Property of sets (Lemma L.B.5.5)} 

( ((s, ss) G B A 1 6 ss) ^ (s, ss) G B ^ 

A 

((s, ss U { J_}) G B A 1 ^ ss) 4 (s, ss) G B ) 

{Predicate calculus} 

((s, ss U {P}) G B A 1 ^ ss) => (s, ss) G 5 


L.B.5.5 

\ 


□ 


B.2 Healthiness Conditions as Fixed Points 

B.2.1 bmh 0 

Lemma L.3.3.1 BMHO bmh 0 (B) = B 


Proof. 


BMHO 

V s 0 : State, ss 0 , ssi : P States 


{Definition of BMHO} 




((s 0 , ss 0 ) G B A ss 0 C ssi A (lG ss 0 G ssi)) =>- (s 0 , ssi) G B 

{Predicate calculus: quantifier scope} 

/ V So : State, ssi : P State± • \ 


<=> 


3 ssq : P State± • (so, ssq) G B A ssq C ssi 






y } A (P G SSo -V^ P G SSi) 

So : State, ssi : P State _l 

3 ss 0 : P State± • (s 0 , ss 0 ) G B A ss 0 C ssi | CB 
A (P G sso P G ssi) 

/ f s 0 : State, ss'i : P State± 1 > 

< 3 sso : P State±_ • (so, sso) G B A sso C ssi > U B 

\ [ A (P G ss 0 P G ssi) J / 


^ (so, ssi) G 5 
{Property of sets: subset inclusion} 




{Property of sets} 


= B 


{Property of sets} 
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/ 

/ 

\ 

s 0 : State, ssi : P State± 

\ 

/ 


I 3 sso : P State _l • (so, sso) G B A sso C ssi \ 

\ 

\ 


l A (_L G ss 0 -v^> _L G ssi) J 

' 

V 

< 

V (sq, ssi) G B 

/ 


{Instantiation of existential quantifier for sso = ssi} 


/ 

f s 0 : State, ssi : P State± 1 

\ 

< 

! 

3 ss 0 : P State± • (s 0 , ss 0 ) G B A ss 0 C ssi 

> 

V 


A (_L G ssq L G ssi) t 

/ 


{Definition of bmho} 

<G> bmho(-B) = B 


Lemma L.3.3.5 bmh 0 o bmh 0 (B) = bmh 0 (B) 


Proof. 

bmho ° bmho(5) {Definition of bmho} 

{ s : State, ss : P State± I 

| 3 sso • (s, sso) G bmh 0 (B) A sso C ss A (1 G sso _L G ss) j 

{Definition of bmh 0 } 


( 

s : State, ss : P State±_ 




/ 

s : State, ss : P State j_ j 


3 ss 0 • (s, ss 0 ) G < 


3 ss Q • (s, ss Q ) G B > 



V 

A ss 0 C ss A (1 G ssq AlG ss) J 


A ss 0 C ss A (1 G ssq Al G ss) J 


{Variable renaming} 



s : State, ss : P State± 




/ 

s : State, ss : P State _l j 


3 ss 0 • (s, ss 0 ) G < 


3 ssi • (s, ssi) G B > 




A ssi C ss A (1 G ssi 1 G ss) J 


A ss 0 C ss A (1 G ssq Al G ss) J 


{Property of sets} 



230 


APPENDIX B. EXTENDED BINARY MULTIRELATIONS 


[ s : State, ss : P State j_ 

3 sso, ssi • (s, ssi) G B 
A ssi C sso A (_L G ssi _L G sso) 

A ss 0 C ss A (1 G ss 0 1 G ss) 

{Predicate calculus and transitivity of subset inclusion} 

s : State , ss : P State±_ 

3 ss\ • (s, ssi) G 5 A ssi C ss A (1 G ssi ■w' 1 G ss) 

{Definition of bmho} 



= bmh 0 (B) 


□ 


B.2.2 bmhi 

Lemma L.3.3.2 BMHI bmhi(5) = B 


Proof. 


BMHI {Definition of BMHI} 

<S>Vs : State ; ss : P State±_ • (s, ss U {_L}) G B (s, ss) G B 

{Property of sets and definition of subset inclusion} 

<G> {s : State ; ss : P State^ \ (s, ss U {-L}) G B} C B {Property of sets} 

-v=> ({s : State ; ss : P State± \ (s, ss U {_L}) G B} U B) = B {Property of sets} 

<G> ({s : State ; ss : P State± \ (s, ss U {_L}) G B V (s, ss) G 5}) = B 

{Definition of bmhi} 


<G> bmhx(5) = B 


□ 


Lemma L.3.3.6 bmhx o bmhx(5) = bmhx(5) 

Proof. 

bmhi ° bmhi (5) {Definition of bmhi} 

= {s : State , ss : P State± \ (s, ss U {-L}) G bmhi(5) V (s, ss) G bmhi(5)} 

{Definition of bmhi} 
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s : State, ss : P State± 

I ( s : State, ss : P State± 


( s, ss U {_L}) G 


(s, ss U {_L}) G B V (s, ss) G B 


\ | (s, ss) G {s : State, ss : P State± | (s, ss U {_L}) G B V (s, ss) G B} ) 

{Property of sets} 

/ 

s : State, ss : P State± 

( s, ss U {_!_} U { _L}) G B V (s, ss U { _L}) G B 
V 

(s, ss U {_L}) G B V (s, ss) G B 

{Property of sets and predicate calculus} 
{s : State, ss : P State± | ( s, ss U {_L}) G B V (s, ss) G B } 

{Definition of brnhi} 

bmh 1 (il) 


B.2.3 bmh 2 

Lemma L.3.3.3 BMH2 AA bmh 2 (5) = B 


Proof. 


BMH2 


{Definition of BMH2} 
{Predicate calculus} 


<G> V s : State • ( 5 , 0) G B <(=>■ (s, {_L}) G B {Predicate calculus} 

/ (5,0) G^(s,{i}) G B \ 

<S>Vs : State • A {Predicate calculus} 

V (s,{±}) E B ^ (s,Q)) E B ) 

/ (3 sso : P State± • (s, 0) G B A (s, sso) GB) A (s, {_!_}) G \ 
<S>Vs: State • A I 


\ (3 ss 0 : P State± • (s, { _L}) E B A (s, ss 0 ) E B) (s,$) E B ) 

{Predicate calculus} 

^ ((s, 0) G 5 A (s, sso) G B) (s, {-L}) E B ^ 

AA V s : S'tate, sso : P State± • A 

\ (( 5 , {-L}) E B A (s, ss 0 ) E B) (s,$) E B ) 

{Predicate calculus} 



232 


APPENDIX B. EXTENDED BINARY MULTIRELATIONS 


<S>Vs : State, ss 0 : P State± 


<S>Vs : State, ssq : P State± 


<S>Vs : State, ss 0 : P State± 


( (5, sso) G B ((s, {_L}) G B V (s, 0) ^ 5) ^ 

A 

\ (s, ss 0 ) G B ((s, 0) G -B V (s, {-L}) ^ B) ) 

{Predicate calculus} 


(s, ss 0 ) G B =>■ 




\ (( S ,0)eBV( s ,{±})^B) ) 


{Predicate calculus} 


(s, sso) 6 Ba ((s, {-L}) G -B •<=>• (s, 0) G B) 

{Property of sets} 


B C {s : State, ss : P State j_ | (s, {P}) G -B (s, 0) G B} {Property of sets} 
<^5=(Bfl{s: State, ss : P State j_ | (s, {P}) G B (s, 0) G -B}) 

{Property of sets} 


-v=> B = {s : State, ss : P State± | ( s, ss) G B A ((s, {P}) G B (s, 0) G -B)} 

{Definition of bmh 2 } 


B = bmh 2 (B) 


□ 


Lemma L.3.3.7 bmh 2 o bmh 2 (B) = bmh 2 (B) 

Proof. 

bmh 2 o bmh 2 (fl) 

s : State, ss : P State± 

[s, ss) G bmh 2 (B) 


{Definition of bmh 2 } 


= < 


= < 


A 

((s, {P}) G bmh 2 (5) (s, 0) G bmh 2 (B)) 

s : State, ss : P State± 

s : State, ss : P State± 

| (s, ss) G B A (0, {P}) G B & (s, 0) G B) 
s : State, ss : P State± 


{Definition of bmh 2 } 


( s, ss) G 

/ 


A 


(s,0) e 


(s, ss) G B A ((s, {P}) G B (s, 0) G B) 
s : State, ss : P State± 


) 


(s, ss) E B A ((s, {P}) G B & (s, 0) G B) 

{Property of sets} 
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s : State, ss : P State± 



0 , 

ss) G 5 A ((s, {P}) gB»(s,0)g B) 




( ((*, {P}) G B A ((s, {P}) GB«(s,0)G B)) \ 



A 



< 


V ((s,0) G B A ((s,{P}) G B^ (s,0) G 5)) J 

> 


{Predicate calculus} 


{ s : State, ss : P State± 

(s, ss) G B A ((s, {_L}) G B <^> (s, 0) G B ) 

A (((s, {P}) eBA(s,|)6B)A ((s, 0) G B A (s, {P}) G B)) 

{Predicate calculus} 


s : State, ss : P State± 

| (s, ss) e B a ((s,{P}) e5«(s,0)e 5) 


{Definition of bmh 2 } 


= bmh 2 (5) 


□ 


B.2.4 bmh 3 

Lemma L.3.3.4 BMH3 bmh 3 (5) = B 

Proof. 


BMH3 {Definition of BMH3} 

<S>Vs : State • ((s, 0) ^ B) (Vss : P State± • (s, ss) 6 B => P ^ ss) 

{Predicate calculus} 

<S>Vs : S'tate, ss : P State± • ((s, 0) ^ 5) =» ((s, ss) e H P ^ ss) 

{Predicate calculus} 


<S>Vs : S'tate, ss : P State± • ((s, ss) 6 5 A P 6 ss) G- (s, 0) G 5 

{Predicate calculus} 

<S>Vs : State, ss : P State± • (s, ss) G B ((s, 0) G B V P ^ ss) 

{Property of sets and subset inclusion} 

AA 5 C {s : State, ss : P State± | ((s, 0) G B V P ^ ss)} {Property of sets} 

«B = (Bn{s: State, ss : P State± | ((s, 0) G B VP ^ ss)}) {Property of sets} 

-v=> 5 = {s : State, ss : P State± | ((s, 0) G B V P ^ ss) A (s, ss) G 5} 

{Definition of bmh 3 } 


<G> B = bmh 3 (B) 
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□ 


Lemma L.3.3.8 bmh 3 o bmh 3 (5) = bmh 3 (5) 


Proof. 


bmh 3 o bmh 3 (5) 

s : State, ss : P State± 

(( 5 ,0) G bmh 3 (5) V _!_ ^ ss) A (s, ss) G bmh 3 (f?) 


s : State, ss : P State± 

s : State, ss : P State± 


{Definition of bmh 3 } 


(Definition of bmh 3 } 


= < 


s, 0) G { W1 ss 

((s, 0) G 5 V 1 ^ ss) A (s, ss) G B 


A 


(s, ss) G 


s : State, ss : P State± 

| ((s, 0) G 5 V 1 ^ ss) A (s, ss) G B 


{Property of sets} 


= < 


s : State, ss : P State± 

((((s, 0) G B V _L <£ 0) A (s, 0) G B) V 1 <£ ss) 

A 

(((s, 0) G 5 V 1 ^ ss) A (s, ss) G 5) 

{Predicate calculus: absorption law} 

s : State, ss : P State± 

((s, 0) G i? V _L ^ ss) A ((s, 0) G 5 V 1 ^ ss) A (s, ss) G i? 

{Predicate calculus and definition of bmh 3 } 

= bmh 3 (B>) 


□ 


B.2.5 bmh 0 and bmhi 

Lemma L.B.2.1 


bmho o bmhi(5) 
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{ s : State, ss : P State± 

3 ssq • ((s, ss 0 ) G B V (s, ss 0 U {_L}) G B) 
A ssq C ss A (1 G ssq 1 G ss)) 


Proof. 


bmh 0 o bmh^i?) {Definition of bmh 0 } 

s : State, ss : P State± 

| 3 ss 0 • (s, ss 0 ) G bmhx(5) A ss 0 C ss A (1 G ss 0 G ss) 

{Definition of bmhj 

s : State, ss : P State± 

3 ss 0 • (s, ss 0 ) G {s : State, ss : P State± \ (s, ss U {_L}) G B V (s, ss) G B} 

A ss 0 C ss A (1 G sso 1 G ss) 

{Property of sets} 

s : State, ss : P State _l 1 

3 ss 0 • ((s, ss 0 U {±}) G B V (s, ss 0 ) G B) > {Predicate calculus} 

A ss 0 C ss A (1 G ss 0 1 G ss) J 

s : State, ss : P State±_ 

3 ss 0 • ((s, ss 0 U {-L}) G 5 A ss 0 C ss A (1 G ss 0 1 G ss)) 


= < 


V 

3 sso • ((s, sso) G 5 A sso C ss A (1 G sso 1 G ss)) 

s : State, ss : P State± 

3 ss 0 • ((s, ss 0 ) G B V (s, ss 0 U {_L}) G B) 

A ss 0 C ss A (1 G ss 0 1 G ss)) 


{Predicate calculus} 


□ 


Properties 

Lemma L.B.2.2 bmh 0 o bmhx(5) = bmhx o bmh 0 (B) 

Proof. 

bmhx o bmh 0 (5) {Definition of bmhx} 

= | s : State, ss : P State j_ | (s, ss U {_L}) G bmh 0 (B) V (s, ss) G bmh 0 (5) | 

{Definition of bmho} 
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= 


= 


= 


= 


s : State, ss : P State± 

s : State, ss : P State± 


( s, ss U {_L}) G 
V 

(s, ss) G 


3 sso • (s, sso) G B A sso C ss A (1 G sso 1 G ss) 
s : State, ss : P State± 


3 sso • (s, sso) G B A sso C ss A (1 G sso 1 G ss) 

{Property of sets} 

s : State, ss : P State± 

3 sso • ((s, sso) G B A sso C (ss U {3-}) A (_L G sso <G> 1 G (ss U {_L}))) 

V 

3 ss 0 • ((s, ss 0 ) G B A ss 0 C ss A (1 G ss 0 1 G ss)) 

{Property of sets and predicate calculus} 

s : State, ss : P State± 

3 sso • ((s, sso) G B A sso C (ss U {_L}) A _!_ G sso) 

V 

3 ss 0 • ((s, ss 0 ) G B A ss 0 C ss A (1 G ss 0 1 G ss)) 

{Lemma IL.B.5.11} 

s : State, ss : P State± 

3 ss 0 • ((s, ss 0 U {-L}) G B A ss 0 C ss A (1 G ss 0 1 G ss)) 

V 

3 sso • ((s, sso) G B A sso C ss A (1 G sso 1 G ss)) 

{Predicate calculus} 

s : State, ss : P State± 

3 ss 0 • ((s, ss 0 U {-L}) G B V (s, ss 0 ) G 5) 

A ss 0 C ss A (1 G ss 0 1 G ss) 

= bmho o bmhi(5) 


{Lemma IL.B.2.11} 


□ 


B.2.6 bmhi and bmh 2 
Lemma L.B.2.3 

bmhi o bmh2(5) 

{ s : State, ss : P State± 

((s, {_L}) GB»(s,0)GB) A ((s, ss U {_!_}) G B V (s, ss) G B) 
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Proof. 


bmhi o bmh 2 (5) {Definition of brnhi} 

= {s : State, ss : P State± | ( s, ss U {J_}) G bmh 2 (5) V (s, ss) G bmh 2 (B)} 

{Definition of bmh 2 } 

s : State, ss : P State 


= < 


(s, ss U {-L}) G 
V 

(s, ss) G 


s : State, ss : P States 
| 0, ss) G B A ((s, {_!_}) G B <=> (s, 0) G B) 

s : State, ss : P State± 


= < 


0, ss) E B A (0, {_L}) GBtt(s,|)G B) 

{Property of sets} 

s : State, ss : P State± 

((s, ss U {_L}) G B A ((s, {_L}) G B <G> (s, 0) G B )) 

V 

((s, ss) E B A ((s, {P}) GBtt(s,|)G B )) 

{Predicate calculus} 

s : State, ss : P State± 

((s, {P}) G B AA (s, 0) G B) A (0, ss U {P}) G B V (s, ss) G B) 


□ 


Lemma L.B.2.4 

bmh 2 o bmh!(5) 

s : State, ss : P State± 

((s, ss U {P}) G B V (s, ss) G B) A ((s, 0) G B) => (s, {P}) G B) 



Proof. 

bmh 2 o bmhi(5) {Definition of bmh 2 } 

s : State, ss : P State± 

| (s, ss) G bmhi(5) A ((s, {P}) G bmhi(5) (s, 0) G bmhi(5)) 

{Definition of bmhi} 
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= 


= 


= 


s : State, ss : P State± 

(s, ss) G {s : State, ss : P State± | ( s, ss U { _L}) G B V (s, ss) G B} 

A 

/ ( s , {_L}) G {s : State, ss : P State± \ (s, ss U {_L}) G B V (s, ss) G B} ^ 

<=> 

\ (s, 0) G {s : State, ss : P State± \ (s, ss U {-L}) G B V (s, ss) G B} ) 

{Property of sets} 

\ 

s : State, ss : P State± 

((s, ss U { _L}) G B V (s, ss) G B) 

A 

/ (MP}U{1})G5V( S ,{1})G5) \ 


V (( S ,0U{l})Gi?V( S ,0)G5) 


{Property of sets and predicate calculus} 


s : State, ss : P State± 

((s, ss U {-L}) G B V (s, ss) G B) 


A 




\ 




{Predicate calculus} 


(M±» 6 B V M) 6 B) / 
s : State, ss : P State± 

((s, ss U {_L}) G B V (s, ss) G B) A ((s, 0) G B) =y> (s, {_!_}) G B) 


□ 


It can be conclued from Lemma IL.B.2.41 and Lemma IL.B.2.31 that the functional 
application of bmhi o bmh 2 is stronger than that of bmh 2 o bmhi. The order in 
which these two healthiness conditions are functionally composed is important, since 
they are not necessarily commutative. The following counter-example illustrates the 
issue for a relation that is not BMH2-healthy. 


Counter-example 5 

bmh 2 o bmhi({s : State, ss : P State _l | ss = {-L}}) {Lemma IL.B.2.41} 

= {s : State, ss : P State ± \ ss = {_!_} V ss = 0} 


brnhi o bmh 2 ({s : State, ss : P State 


ss = {-L}}) 


{Lemma IL.B.2.31} 
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B.2.7 bmh 2 and bmh 3 


Lemma L.B.2.5 

bmh 2 o bmh 3 (5) 


s : State, ss : P State± 

((s, 0) G B V _L (£ ss) A (s, ss) £ 5 A ((s, (s, {_L}) G 5) 


Proof. 

bmh 2 o bmh 3 (5) {Definition of bmh 2 } 

s : State, ss : P State± 

(s, ss) G bmh 3 (5) A ((s, {_L}) G bmh 3 (5) «=> (s, 0) G bmh 3 (B)) 

{Definition of bmh 3 } 



s : State, ss : P State± 

(s, ss) G {s : State, ss : P State± | ((s, 0) G B V 1 ^ ss) A (s, ss) G 5} 

A 

/ (s, {_L}) G {s : State, ss : P State± | ((s, 0) G B V 1 ^ ss) A (s, ss) G 5} ^ 

\ (s, 0) G {s : State, ss : P State j_ | ((s, 0) G 5 V 1 ^ ss) A (s, ss) G B} ) 

{Property of sets} 


s : State, ss : P State± 

(((s, 0) G B V 1 ^ ss) A (s, ss) G 5) 


= < 


A 


/ (((s,0) 68vi< {!}) A (s, {!}) 6 B) \ 




/ 


\ (((s, 0) G B V 1 £ 0) A (s, 0) G B) 

{Property of sets and predicate calculus} 
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s : State, ss : P State± 

(((s, 0) G B V _L ^ ss) A (s, ss) G B ) 
A 

/ ((s,0)eBA(s,{±})eB) \ 

-= 

. ((s, 0) e S) / 


> 


{Predicate calculus} 


s : State, ss : P State± 

((s, 0) G B V 1 (£ ss) A 0, ss) e B A ((s, 0) G 5 A (s, {_!_}) G 5) 


□ 


Lemma L.B.2.6 

bmh3 o bmh2(-B) 


s : State, ss : P State± 

((s, 0) G 5 V 1 ^ ss) A (s, ss) G 5 A ((s, {_!_}) g5«(s,0)g 5) 


Proof. 


bmh3 o bmh2(-B) 

s : State, ss : P States 

((s, 0) G bmh 2 (5) V ± ^ ss) A (s, ss) G bmh 2 (B) 


( s : State, ss : P State± 

s : State, ss : P State± 


= < 


[s, 0) G 


V _L 4. ss 


{Definition of bmhs} 

l 

{Definition of bmh 2 (-B)} 

\ 


(s, ss) G B A ((s, {_!_}) G5«(s,0)G B) 


) 


A 


(s, ss) G 


s : State, ss : P State± 

| (s, ss) G B A ((s, {_!_}) G5«(s,0)G B) 


{Property of sets} 


= < 


s : State, ss : P State± 

(((s, 0) G B A ((s, {_L}) gBa(s,0)gB))V1^ ss) 
A 

(s, ss) G B A ((s, {_!_}) G5«(s,0)G 5) 


{Predicate calculus} 
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s : State, ss : P State± 


((s,0) G B V 1 ^ ss) 


A 


(((s, {T}) G B AA (s, 0) G B) V 1 ss) 


A 

< 

(s, ss) G B A ((s, {T}) G B AA (s, 0) G B) 


{Predicate calculus: absorption law} 

s : State, ss : P State± 

((s, 0) G B V 1 ^ ss) A (s, ss) E B A ((s, {_!_}) 5) 



□ 


The functions bmh 2 and bmh 3 are not in general commutative. The following 
counter-example illustrates the issue for a relation that is not BMH2-healthy. 

Counter-example 6 

bmfi 2 o bmh 3 ({s : State, ss : P State± \ ss = {_!_} V ss = {s}}) {Lemma IL.B.2.51} 
= {s : State, ss : P State± \ ss = {s}} 


bmh 3 o bmh 2 ({s : State, ss : P State± \ ss = {_!_} V ss = {s}}) {Lemma IL.B.2.61} 

= 0 


B.2.8 bmhi and bmh 3 

Lemma L.B.2.7 

bmh 3 o bmh!(5) 


s : State, ss : P State± 

((s, {T}) € B V (s, 0) G B V 1 ^ ss) 
A 

((s, ss U {T}) G B V (s, ss) G B) 


Proof. 


bmh 3 o bmh!(5) 


{Definition of bmh 3 } 
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= {s : State, ss : P State j_ j ((s, 0) G bmhx(5) V _L ^ ss) A ( s, ss ) G bmhi(5)} 

{Definition of bmhi} 

s : State, ss : P State± 

( (s, 0) G {s : State, ss : P State± | ( s, ss U {_L}) G B V (s, ss) G B} \ 


= < 


V 


\ _L ^ ss 


/ 


A 


= < 


(s, ss) G {s : State, ss : P State± \ (s, ss U {P}) G B V (s, ss) G B} 

{Property of sets} 

\ 

s : State, ss : P State± 

(0, {_L}) G B V 0, 0) G B V 1 ^ ss) 

A 

((s, ss U {-L}) G B V (s, ss) G B) 


□ 


Lemma L.B.2.8 

bmhx o bmh 3 (5) 


s : State, ss : P State± 

((s, 0) G B A ((s, ss U {P}) G B V (s, ss) G B )) 
V 

(P ^ ss A (s, ss) G B) 


Proof. 


bmhi ° bmhs(5) {Definition of bmhi} 

= {s : State, ss : P State± \ (s, ss U {P}) G bmh 3 (5) V (s, ss) G bmh 3 (B)} 

{Definition of bmh 3 } 

s : State, ss : P State± 


= < 


(s, ss U {P}) G 
V 

(s, ss) G 


s : State, ss : P State± 

| ((s, 0) G B V P ^ ss) A (s, ss) G B 

s : State, ss : P State± 

| ((s, 0) G B V P ^ ss) A (s, ss) G 5 


{Property of sets} 
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s : State , ss : P States 


(((s, 0) G B V _L ^ (ss U {_!_})) A (s, ss U {_!_}) G B ) 



V 

(((s, 0) G B V 1 ^ ss) A (s, ss) G 5) 


V 

(_L ^ ss A (s, ss) G B) 


□ 


The functions bmh 3 and bmhi do not necessarily commute. The following 
connter-examplc shows this for a relation that is not BMH3-healthy. In fact, the 
functional application bmh 3 o bmli! is not suitable as the counter-example shows 
that we have a fixed point. 

Counter-example 7 

bmli 3 o bmhi({s : State, ss : P State± \ ss = {_L, s} V ss = {T}}){Lemma lI7.B.2.7l} 
= {s : State, ss : P State± \ ss = {T, s} V ss = {T}} 

bmhi o bmh 3 ({s : State, ss : P State± \ ss = s} V ss = {T}}){Lemma lLT.B.2.81} 


0 


B.2.9 bmho,i .2 


Lemma L.3.3.9 


3 ss 0 • ((s, ss 0 ) G B V (s, ss 0 U {T}) G B) 


bmh 0i i,2(5) = < s, ss A ((s, {i}) GiJtt(s,0)G B) 

[ A ssq C ss A (1 G sso 1 G ss) 


Proof. 


bmh 0 o brnhi o bmh 2 (5) 


{Definition of bmh 0 o brnhi} 
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= 


= 


= 


s : State, ss : P State± 

3 ss 0 • ((s, ss 0 ) G bmh 2 (5) V (s, ss 0 U {_L}) G bmh 2 (B)) 

A sso C ss A (1 G sso _L G ss)) 

{Definition of bmh 2 } 

s : State, ss : P State± 

3 ss 0 : State • 

{ j s : State, ss : P State± ] \ 

S ’ SS ° ' (s, ss) G B A ((s, {P}) G 5 AA (s, 0) G 5) 


V 


V 


(s, ss 0 U {P}) G 


s : State, ss : P State± 


(s, ss) G B A ((s, {P}) G B <3- (s, 0) G 5) J / 

A ss 0 C ss A (P G sso P G ss)) 

{Property of sets} 

s : State, ss : P State± 

/ ((s, ss 0 ) G B A ((s, {P}) G 5 (s, 0) G 5)) ^ 

3 ss 0 • V 

\ (( s ) ss o U {-L}) G B A ((s, {P}) G Btt (s,0) G 5)) / 

A ss 0 C ss A (P G sso ttPG ss)) 

{Predicate calculus} 

s : State, ss : P State± 

3 ss 0 • ((s, ss 0 ) G B V (s, ss 0 U {P}) G B ) 

A ((s, {P}) GB«(s,0)G B) 

A ss 0 C ss A (P G ss 0 P G ss) 


□ 


Theorem T.3.3.1 BMHO A BMH1 A BMH2 bmh 0 .i. 2 (5) = B 


Proof. Follows from Lemmas L.3.3.10 to L.3.3.13 below. 


Lemma L.3.3.10 (bmh 0 .i. 2 (5) = B) =>- BMHO 


□ 


Proof. 

BMHO {Definition of BMHO} 

V so : State, sso, ssi : P State± • 

((s 0 , ss 0 ) G B A ss 0 C ssi A (P G ss 0 P G ssi)) =>• (s 0 , ssi) G B 

{Predicate calculus: quantifier scope} 
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^ V s 0 : State , ssi : P State± • \ 

(3 sso : P State± • (so, sso) G B A sso C ssi A (1 G sso <G> _L G ssi)) 

(s 0 , ssi) G B J 

{Assumption: bmh 0 ,1,2(5) = B } 

/ V s 0 : State , ssi : P State± • \ 

(s 0 , ss 0 ) G bmh 0 i, 2 (B) A ss 0 C ssi 
A (_L G ssq _L G ssi) 


3 ss 0 : P State j 


\ {so,ssi) G bmh 0 ,i, 2 (5) 

/ V s 0 : State , ssi : P State± • 

/ ((s,{P}) G5«(s,0)G 5) 


/ 

{Lemma IL.B.2.121 } 


A 


3 ss 0 


((s, ss 0 ) G B V (s, ss 0 U {_L}) G 5) 

A ssq C ssi A (P G ssq P G ssi) J J 


\ (s 0 , ssi) G bmho, 1 , 2 ( 5 ) 

V So : State , ssi : P State± • 

(s 0 , ssi) G bmh 0 1 , 2 ( 5 ) =>• (s 0 , ss x ) G bmh 0 ,i, 2 (5) 
true 


{Lemma IL.B.2.111 } 
{Predicate calculus} 


a 


Lemma L.3.3.11 (bmho.i,2(5) = 5) =>• BMH1 


Proof. 

BMH1 {Lemma IL.B. 1.21} 

= V s : State , ss : P State± • ((s, ss U {P}) G 5 A P ^ ss) 4 (s, ss) G 5 

{Assumption: bmh 0 ,i,2(5) = 5} 

V s : State , ss : P State± • 

((s, ss U {P}) G bmh 0 .1,2(5) A P ^ ss) =>■ (s, ss) G bmh 0 ,i, 2 ( 5 ) 

{Lemma IL.B.2.111 } 
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( V s : State, ss : P State± • 

( ((s, {_!_}) 6B<^(s,0)eB)Al^ss 


\ 


A 


3 ss 0 : P States 


\ (s, ss) G bmh 0) i, 2 (-B) 


((s, ssq) G B V (s, sso U {_L}) G B ) 

A ss 0 C (ss U {P}) A (1 G sso O 1 6 (ss U {_!_})) 


/ V s : State, ss : P State± • 

( ((s, {_L}) G B (s, 0) G 5) A 1 ^ ss 
A 

q p q . , ( ((«, ss 0 ) G B V (s, ss 0 U {P}) G B) 

3 sso : P State±_ • 

y y A ss 0 C (ss U {P}) A P 6 ss 0 


{Property of sets} 

\ 

\ 


/ 


\ (s,ss) Gbmho,i, 2 (5) / 

{Predicate calculus and property of sets} 

/ V s : State, ss : P State± • \ 

( ((s, {P}) G B (s,0) G B) A P <£ ss \ 


A 


3 ssq : P States 


\ (s, ss) G bmh 0) i i2 (B) 


((s, sso) G B V (s, sso U {P}) G 5) 
A (ssq \ {P}) C ss A P 6 ssq 


7 


^ V s : State, ss : P State± • 

/ ((s, {P}) G 5 (s, 0) G B) A P (£ ss 


{Introduce fresh variable} 

\ 

\ 


A 


V 


((s, ss 0 ) G B V (s, ss 0 U {P}) G B) \ 
3 ss 0 , t : P State± • | A t C ss A P G ss 0 

A t = (ss 0 \ {P}) 


\ (s, ss) e bmh 0i i, 2 (B) 




{Lemma IL.B.5.21} 





















B.2. HEALTHINESS CONDITIONS AS FIXED POINTS 


247 


( V s : State , ss : P State± • 

/ ((s, {_!_}) G B O (s, 0) G B) A 1 (£ ss 


\ 


A 


3 ssq, t : P States 


^ (s, ss) G bmh 0 ,i ,2 (5) 


( ((s, sso) G B V (s, sso U {-L}) G 5) ^ 
A f C ss A 1 ^ t 
\ A t U {_!_} = ssq 


('is: State , ss : P State± • 

/ ((s, {P}) G B <^> (s, 0) G B) A 1 <£ ss 


/ 

{One-point rule} 

\ 

\ 


A 


3 t : P 57afe i 


V 


((s, f U {P}) G B V (s, f U {1} U {P}) G B) 
A i C ss A 1 ^ t 


/ 


\ (s, ss) G bmh 0 ,i, 2 (-B) / 

{Property of sets and predicate calculus} 

^ V s : State, ss : P State± • \ 

( ((s,{P})gB^(s,0)gB) \ 


A 


\ 3 t : P State± • (s,t U {-L}) G5AtCssAl^iAl^ss / 


s , ss) G bmh 0 ,1,2(5) 


(is: State , ss : P State± • 

/ ((s, {_!_}) G5«(s,0)G 5) 
A 


/ 


{Lemma IL.B.2.11] } 

\ 


\ 3 t : P State± • (s,t U {P}) G5AtCssAP^iAP^ss / 

(M-L}) e .b «■ M) e-s) \ 

A 

3 ss ■ State • ( SS °^ e ^ V ( s ’ ss ° U e 5) 
y y A ^ A (_L G -L G SSi) J J J 

{Predicate calculus} 
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( V s : State, ss : P State± • 

( ((s,{-L» e (s,0) G B) 


\ 


\ 


A 


\ 3 t : P State± • (s, t U { _L}) eBAfCssAl^tAl^ss J 
( (( s ,{p})g5^( s ,0)g5) \ 

A 

/ 3 ss 0 : State± • (s, ss 0 ) G 5 A ss 0 C ssi A (_L G ss 0 <=> -L € ssi) \ 

V 

y \ y 3 ss 0 : State± • (s, sso U {_L}) G B A sso C ssi A (_L G sso <=> _L € ssi) / / 

{Predicate calculus} 

^ V s : State, ss : P State± • \ 

((s,{l})GB«(s,0)GB) ^ 

A 

3 t : P State± • {s,t U {P}) G5AtCssAl^tAl^ss / 


( ((s,{P}) G Baa (5,0) G B ) 
A 


/ 


( 

3 ss 0 

State _l • 

(s, ss 0 ) E B A 

ss 0 C ssi A (P G ss 0 

P 

G 

SSi) 

\ 


V 









3 ss 0 

State± • 

(s, ss 0 U {P}) 

G 5 A ss 0 C ssi A P 

G sso 

A 

P G ssi 



V 








\ 

3 ss 0 

State _l • 

(s, ss 0 U {P}) 

G 5 A ssq C ssi A P 

^ ss 0 

A 

P ^ SSi 

/ 


/ 

{Variable renaming and predicate calculus} 


= trne 


□ 


Lemma L.3.3.12 (bmh 0 .i. 2 (-B) — B) => BMH2 


Proof. 

BMH2 {Definition of BMH2} 

= V s : State • (s,0) GflO (s, {-L}) G 5 {Assumption: bmh 0 .i, 2 (-B) = 5} 

= V s : b'tate • (s, 0) G bmh 0 ,i, 2 (-B) <=> (s, {P}) G bmh 0 ,i, 2 (-B) 

{Lemma IL.B.2.131 and Le mm a IL.B.2. 141} 
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= V s : State • ((s, 0) G B A (s, {_!_}) ((s, 0) G B A (s, { _L}) G B ) 

{Predicate calculus} 


= true 


□ 


Lemma L.3.3.13 Provided B is BMHO — BMH2 -healthy, bmho. 1 . 2 ( 5 ) = B. 
Proof. 

{Definition of bmh 0 ,i, 2 } 












> =B 


bmh 0 ,i, 2 (-B) = B 

( s : State, ss : P State± 

3 ssq • ((s, ss 0 ) G B V (s, ss 0 U {_!_}) G B) 

A ((s, {_!_}) G5 «(s,0)G B) 

A ss 0 C ss A (1 G sso <G> _L G ss) 

{Assumption: B is BMH2-healthy} 

s : State, ss : P State± 1 

3 ss 0 • ((s, ss 0 ) G B V (s, ss 0 U {_L}) G B) > = B 
A ss 0 C ss A (1 G ss 0 1 G ss) J 

{Assumption: B is BMHl-healthy and predicate calculus} 

s : State, ss : P State ± 1 

3 sso • ((s, sso) G B V ((s, sso U {A}) G B A (s, sso) G B) / — B 
A ss 0 C ss A (1 G sso 1 G ss) J 

{Predicate calculus: absorption law} 

s : State, ss : P State j_ 

3 ss 0 • (s, ss 0 ) G 5 A ss 0 C ss A (1 G ss 0 1 G ss) 

{Assumption: B is BMHO-healthy} 

s : State, ss : P State± 

(3 ss 0 • (s, ss 0 ) G 5 A ss 0 C ss A (1 G ss 0 1 G ss)) A (s, ss) G B 

{Instantiation of existential quantifier for ssq = ss} 


= B 


= B 


& < 



s : 

State, ss : P State± 




( (3 sso • (s, sso) G B A sso C ss A (1 G sso 1 G ss)) \ 




V 




V (s, ss) G B ) 



A (s, ss) G B 

> 


> = B 


{Predicate calculus: absorption law} 
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-v^> {s : State, ss : P State±_ | (s, ss) G B} = B {Property of sets} 

true 


□ 


Lemma L.B. 2.9 bmh 0 ,i.2 ° bmh 0 i 2 ( 5 ) = bmh 0 ,1.2(5) 


Proof. 


bmh 0 ; i , 2 0 bmh 0 ,1,2(5) 

s : State, ss : P States 

3 ss 0 • ((s, ss 0 ) e bmh 0 ,1,2(5) V (s, ss 0 U {P}) G bmh 0 ,i, 2 ( 5 )) 
A (( 5 , {_L}) G bmh 0 ,1,2(5) (s, 0 ) G bmh 0 ,i, 2 ( 5 )) 

A ss 0 C ss A (_!_ G sso AlG ss) 


{Definition of bmho.1,2} 


= 


= 


= 


{Lemma L.B.2.14 Lemma L.B.2.13 and predicate calculus} 
s : State, ss : P State± 

3 ss 0 • ((s, ss 0 ) G bmh 0 ,1,2(5) V (s, ss 0 U {_L}) G bmh 0 ,i, 2 ( 5 )) 

A ss 0 C ss A (1 G ss 0 1 G ss) 


{Predicate calculus} 


s : State, ss : P State± 

3 ss 0 • (s, sso) G bmh 0 ,i, 2 ( 5 ) A ss 0 C ss 
A (1 G sso _L G ss) 

V 

3 ss 0 • (s, ssq U {P}) G bmh 0 ,1,2(5) A ss 0 C ss 
A (1 G 5 Sq 1 G ss) 


s : State, ss : P State± 

! I ((.,{l})ES»(.,))ei) 

A 

( ((s, ssi) G 5 V (s, ssiU{±}) G 5) 

3 ssi • 

y { A ssi C ss A (1 G ssi O 1 G ss) J J 

V 


{Lemma IL.B.2.121 } 

\ \ 


( ((s,{P}) G5»(s,|))G 5) 


A 

3 ssi 


((s, ssi) G 5 V (s, ssi U {P} U {P}) G 5) 
A ssi C ss A (P G ssi <S> P G ss) 






{Property of sets and predicate calculus} 
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( s : State, ss : P State± 

((«,{-*-}) G (5,0) G B ) 


= < 


A 


3 ssi • ((s, ssi) G B V (s, ssi U { _L}) G B) A ssi C ss 
A (_L G ssi "vv - _L G ss) 

{Definition of bmho,i, 2 } 

bmh 0 i 2 (S) 


□ 


Lemma L.B.2.10 

bmh 0j i i2 (5) 


s : State, ss : P State± 

((s, {-L}) G 5 A (s, 0) G B) 

V 

( feW)^A(s,0)^) 

A 

/ (((*, ac') G B ; ac C ss) A 1 ^ ss) \ 
V 

\ ((s, ac' U {_L}) ; ac C ss) / 




/ J 


Proof. 

bmh 0 , i, 2(-B) {Definition of bmho,!^} 

s : State, ss : P State± 

3 ss 0 • ((s, ss 0 ) G B V (s, ss 0 U {3-}) G 5) 

A((s,{l})Gfitt(s,0)GB) 

A ss 0 C ss A (1 G ssq Al G ss) 


{Predicate calculus} 
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s : State, ss : P State± 
((s,{p})g5^(s,0)g£) 

A 

^ ( 3 ss 0 • (s, ss 0 ) G B 

A ssq C ss A _L G ssq A 1 G ss 


= 


V 


V 


3 ssq • (s, ss 0 ) G B 
A ss 0 C ss A _L ^ ss 0 A _L ^ ss 


= 


A 


^ ^ 3 ss 0 • (s, ss 0 ) ^ B 

A ss 0 C ss A 1 6 ss 0 A 1 6 ss 


\ 


V 


V 


3 ss 0 • (s, ss 0 ) ^ B 
A ssq C ss A _L ^ ssq A _L ^ ss 


3 ss 0 • (s, ss 0 ) G 5 
y y A sso C (ss U {-L}) A 1 G sso 

s : State, ss : P State± 

((s, {_L}) g B^ (s,0) e B) 


= 


A 


\ 


3 ss 0 • (s, ss 0 U {_L}) G B 
y A ss 0 C ss A (1 G ss 0 1 G ss) J 

s : State, ss : P State± 

((s, {-L}) G 5 -vA (s, 0) G B ) 


^ ( 3 ss 0 • (s, ss 0 ) G B 

A ss 0 C (ss U {-L}) A _L G ssq A _L G ss 


\ 


V 


V 


3 ss 0 • (s, ss 0 ) G B 
A ss 0 C ss A _L ^ ss 0 A _L ^ ss 


3 ss 0 • (s, ss 0 ) G 5 
y ^ A ss 0 C (ss U {_!_}) A 1 G ss 0 


{Lemma IL.B.5.11} 


{Property of sets} 


{Predicate calculus: absorption law} 
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= 


= 


= < 


= < 


s : State, ss : P State± 

((s, {-L}) G B^ (s,0) G B ) 

A 

f I 3 ss 0 • (s, ss 0 ) G B 

\ A ssq C ss A J_ ^ sso A _L ^ ss 
V 

( 3 ssq • (s, ss 0 ) G B 

A ss 0 C (ss U { _L}) A 1 G ss 0 J ) 

s : State, ss : P State± 

((s, {i}) g5<^(s,0)g B) 

A 


^ (3 sso • (s, sso) G B 

A ss 0 C ss A J_ ^ ss 0 A J_ ^ ss 


V 


{Property of sets} 


\ 


> {Introduce fresh variable} 


\ 


3 ss 0 • (s, ss 0 ) G 5 

\ y A (ss 0 \ {-L}) G ss A 1 G ss 0 J J 

s : State, ss : P State± 

((s, {-L}) G5«(s,0)G B ) 

A 

( I 3 ss 0 • (s, ss 0 ) G 5 

\ A sso C ss A J_ ^ sso A _L ^ ss 
V 

( 3 t, ss 0 • (s, ss 0 ) G B 

A t = (sso \ {-L}) A t C ss A 1 G sso ^ ) 

s : State, ss : P State± 

((s, {-L}) G5«(s,0)G B ) 


> {Lemma IL.B.5.21} 


A 


( ( 3 ss 0 • (s, ss 0 ) G 5 

A ss 0 C ss A _L ^ ss 0 A J_ ^ ss 




V 


3 t, sso • (s, sso) G B 
\ y A (t U {_!_}) = ss 0 A t C ss A 1 ^ i J J 


{One-point rule} 
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s : State , ss : P State± 

((s, {_L}) e^(s,®)6 B ) 

A 

/ ^ 3 sso • (s, sso) G B A sso C ss A _L ^ sso A _L ^ ss j \ 

I V 

y ^ 3 t • (s, t U {P}) EBRtCLssALtfit^J 

{Type: P ^ ss 0 , t} 

s : State , ss : P State± 

((s,{_L}) e5»(s,|)6 B ) 

A 

/ (3 sso : P State • (s, sso) G 5 A sso C ss A 1 ^ ss) \ 

V 

\ (3 t : P State • (s,t U {P}) G B A t C ss) / 

{Variable renaming and substitution} 


s : State , ss : P State± 

((s, {_L}) G Btt (s,0) G B) 

A 

/ (3 sso : P State • (s, sso) G 5 A sso C ss A 1 ^ ss) \ 

V 

\ (3 t : P State • (s,t U {P}) G B A t C ss) / 

{Predicate calculus} 


s : State , ss : P State± 

( (( s > {-L}) G 5 A (s, 0) G B) \ 
V 

V ((s,{l})^A(s,0)^) / 
A 


/ (3 sso : P State • (s, sso) G B A sso C ss A 1 ^ ss) \ 

V 

y (3 t : P State • (s,t U {P}) G 5 A t C ss) / 

{Instatiation: consider case where t — 0} 
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s : State , ss : P State j_ 
((s,{P})g5A(s,0)g5) 

V 

/ ((s,{P})^5A(s,0)^5) \ 


/ (((s, ac') E B ; ac C ss) A 1 ^ ss) \ 


V V ((*, ac 1 U {_L}) ; ac C ss) ) ) 


> 


□ 


Lemma L.B.2.11 

(s, ss) E bmh 0 ,i, 2 (-B) 


( ((s,{-L» e (s,0) G 5) 


A 

3 ss 0 • 

V 


((s, sso) G B V (s, sso U {_L}) G B ) 
A ss 0 C ss A (1 G sso <G> _L G ss) 


\ 


Proof. 


= (s, ss) G < 


[s, ss) G bmh 0 , 1 , 2 ( 5 ) {Definition of bmh 0 1 , 2 ( 5 )} 

f s : State, ss : P State± 

3 ss 0 • ((s, ss 0 ) G 5 V (s, ss 0 U {_L}) G 5) 

A ((s, {_L}) EB^(s,iD)E B) 

A ss 0 C ss A (1 G ss 0 1 G ss) 

/fe{i))6S#(>,()eS) t 


> {Property of sets} 


A 


3 ss 0 


((s, ss 0 ) G 5 V (s, ss 0 U {_!_}) G 5) 

A ss 0 C ss A (1 G sso Al G ss) > ) 


□ 


Lemma L.B.2.12 

3 ssi • (s, ssi) G bmh 0 ,i,2(5) A ssi C ss A (1 G ssi 1 G ss) 
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/ ((s,{P})g5^(s,0)g5) \ 

A 

\ 3 ssq • ((s, ssq ) G B V (s, ssq U {J_}) G B) A sso C ss A (1 E sso ^ -L G ss) ) 


Proof. 

3 ssi • (s, ssi) G bmh 0 , 1 . 2 ( 5 ) A ssi C ss A (1 G 1 G ss) 


{Definition of bmh 0 ,i. 2 } 



/ 


\ 

s : State , ss : P State _l 

\ 

3 ssi • 

(s, ssi) G < 


3 ss Q • ((s, ss 0 ) G B V (s, ss Q U {_L}) G B) 

A ((s,{_L}) G5«(s,0)G B) 

A sso ^ 55 A (_L G 55o _L G 55 ) 

> 


\ A ssx C ss A 

(_L G ssi _L G 55 ) 

/ 


{Property of sets} 


= 3 ssi 


( / 3 ss 0 • ((s, ss 0 ) G B V (s, sso U {_!_}) E B) \ \ 

A ((s, {_!_}) G fitt (s,0) G B) 

V A ssq C ssi A (1 G sso 1 G ssi) / 

y A ssi C ss A (1 G ssi <G> 1 G ss) y 

{Predicate calculus: quantifier scope} 


/((.,{l})6BeM)£B) \ 


A 



( f 3 sso • ((s, sso) G B V (s, sso U {_!_}) G B) 

| 


3 SSi • 

\ A sso C ssi A (1 G sso 1 G ssi) , 

1 


V 1 

A ssi G ss A (1 G ssi 1 G ss) 

J 

/ 


{Predicate calculus} 
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( ((s, {_!_}) G (5,0) G B ) 


\ 


A 


/ (s, ss 0 ) G B 


3 SSq, SSi 


V 


3 SSq, ss i 




\ 


A sso G A (_L G sso Av - _L G ss^) 

\ A ssi C ss A (1 G s«i 1 G ss) J 

( (s, sso U {_L}) G 5 ^ 

A ss 0 C ssi A (1 G sso 1 G ssi) 

\ A ssi C ss A (1 G ssi <^> 1 G ss) / 




/ ) 

{Predicate calculus} 


A 


/ 3 ss 0 • ((s, ss 0 ) G 5 A ss 0 C ss A (1 G ss 0 1 G ss)) \ 


V 


V 


/ 


\ 3 sso • ((s, sso U {J_}) G B A sso C ss A (1 G sso 1 G ss)) / 

{Predicate calculus} 

((s,{1})gBa(s,0)gB) \ 

= I A 

3 ss 0 • ((s, ss 0 ) G B V (s, ss 0 U {_L}) G 5) A ss 0 C ss A (1 G ss 0 Al G ss) / 


□ 


Lemma L.B.2.13 (s, 0) G bmh 0 ,i, 2 (-E>) = (s, 0) G 5 A (s, {_L}) G 5 

Proof. 


(s, 0) G bmh 0 ,i, 2 (B) 


s : State, ss : P State± 

3 ss 0 • ((s, ss 0 ) G B V (s, ss 0 U {_L}) G B) 
A ((s,{_L}) GB«(s,0)G 5) 

A ss 0 C ss A (1 G ss 0 O 1 G ss) 


/ 3 ss 0 • ((s, ss 0 ) G B V (s, ss 0 U {_L}) G B) 

A ((s, {_L}) G B (s, 0) G 5) 
y A ssg C 0 A (_L G ssq Av - _L G 0) ) 


{Definition of bmhop^} 


> {Property of sets} 


{Predicate calculus} 


/ 3 ss 0 • ((s, ss 0 ) G B V (s, ss 0 U {_L}) G B) 

A ((s,{_L}) GB«(s,0)G 5) 

\ A sso C 0 A _L ^ sso / 

{Case analysis on ssq and one-point rule} 
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= ((s, 0) G B V (s, 0 U {_L}) E B) A ((s, {X}) G B <^> (s, 0) G 5) 

{Property of sets and predicate calculus} 

= (s,{X}) G B A (5,0) G B 


□ 


Lemma L.B.2.14 (s, {_L}) G bmh 0 , 1 , 2 ( 5 ) = (s, 0) G B A (s, {_!_}) G B 


Proof. 


[s, {_L}) G bmh 0 , i, 2 (-B) {Definition of bmh 0 ,i, 2 } 

f s : State , ss : P State± 

3 ss 0 • ((s, ss 0 ) G B V (s, ss 0 U {X}) G B) 

A ((s,{X}) G (s,0) G B) 

A ss 0 C ss A (1 G ss 0 G ss) 


= M±})e{ 


{Property of sets} 
{Predicate calculus} 


^ 3 ss 0 • ((s, ss 0 ) G B V (s, sso U {-L}) G 5) \ 

= A ((s,{X}) G (s,0) G B) 

\ A ss 0 C {X} A (1 G ss 0 1 G {X}) / 

( 3 ss 0 • ((s, ss 0 ) G B V (s, ss 0 U {X}) G B) ^ 

= A((s,{X})gB«(s,0)gB) 

\ A ss 0 C {X} A X G ss 0 / 

{Case analysis on sso and one-point rule} 

= ((s, {X}) G B V (s, {X} U {X}) G B) A ((s, {X}) g5«(s,0)g 5) 

{Property of sets and predicate calculus} 

= (s, {X}) G B A (s,0) G B 


□ 


Lemma L.B.2.15 

B\ C B ( ) 

/(X ss) G B\ =4* (s, ss) G 5 0 \ 

A 

\ (s, ss U {X}) G 5i (s, ss U {X}) G 5 0 / 


V s : State, ss : P State • 
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Proof. 


B\ C B 0 {Definition of subset inclusion} 

-v=> V s : State, ss : P State |_ • (s, ss) 6 5i (s, ss) G B 0 {Predicate calculus} 

•vv- V s : State, ss : P State± • ((s, ss) G Bi => (s, ss) G B 0 ) A (1 G ss V 1 ^ ss) 

{Predicate calculus} 

( (P G ss ^ ((s, ss) G B\ (s, ss) G Bq)) ^ 


AA\/ s : State, ss : P State± 


A 


\ (-L ^ SS =>■ ((s, ss) G Bi =>■ (s, ss) G 5 0 )) / 

{Introduce fresh variable} 

^ V s : S'fafe, ss : P State± • \ 

\ 




/ / (3 t : P State± • _L G ss A t = ss \ {-<-}) \ 
\ ((p ss) G 5i 4 (s, ss) G 5 q) 


A 


\ (-L ^ SS => ((s, ss) G Bi ^ (s, ss) G B 0 )) / 

^ V s : .State, ss : P State± • \ 

/ / (3 t : P State ± • P^tAss = tU {-L}) \ \ 


{Lemma IL. P.5.21 } 




((s, ss) G B\ (s, ss) G 5q) 




A 


7 






\ (-L ^ SS => ((s, ss) G 5i (s, ss) G B 0 )) / 

{Predicate calculus: quantifier scope} 

^ V s : .State; ss, t : P State± • \ 

((P ^ f A ss = f U {P}) =>• ((s, ss) G 5i (s, ss) G B 0 )) ^ 

A 

y \ (P ^ ss => ((s, ss) G 5i (s, ss) G 5o)) 

{Predicate calculus} 

^ V s : .State; ss, t : P State± • \ 

(P ^ t =» (ss = t U {P} ((s, ss) G Bi (s, ss) G B 0 )) \ 


/ 


/ 


A 


y \ (P ^ ss =r" ((s, ss) G B\ ^ (s, ss) G By)) 






{Variable renaming} 
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/ V s : State ; ss, t : P State± • \ 

( (-L t t=> (ss = t U {P} =>• ((s, ss) G Bi =>• (s, ss) G B 0 )) \ 

A 

\ \ (-L ^ t =>• ((s, f) £ 5i => (s, t) G -B 0 )) / y 

{Predicate calculus: quantifier scope} 
/ V s : State, t : P State± • \ 




( 


(_L ^ t =>■ V ss : P State± 


A 


( (ss = tO {P}) \ \ 

\ (( s > ss ) £ ^ (p ss ) ^ Bo) / 

/ 


y 




\ (-L ^ t => ((s, i) G Bj => (s, t) G Bo)) 

{Predicate calculus} 

( \/ s : State, t : P State± • \ 

/ (-L ^ t ((p t U {P}) G 5i (s,i U {P}) € Bq)) \ 


V 


A 


y 


y 


\ (-L ^ t =>- ((s, t) G Bi =>• (s, t) G B 0 )) 

{Predicate calculus} 

(s, t U {P}) G Bi G- (s, t U {P}) G Bq ^ 

V s : State, t : P State • | A 

(p t) G Bi =>- (s, t) G Bq / 


□ 


B.2.10 bmh 0 ,i ,3 
Lemma L.B.2.16 

bmho o bmhi o bmh3(B) 


s : State, ss : P State±_ 

( ((s, sso) G B V (s, sso U {P}) G B) ^ 

3 ss 0 • A 

y (s, 0) G B A ssq C ss A (P G ssq Pr - P G ss) J 


V 

3 ssq • ((s, ssq) G B A ssq C ss A P ^ ssq A P ^ ss) 


> 
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Proof. 


bmh 0 o bmhi o bmh 3 (5) {Definition of bmh 0 o brnhi} 

s : State, ss : P State _l 

3 ssq • ((s, ss 0 ) € bmh 3 (5) V (s, ss 0 U {_L}) G bmh 3 (B)) 

A ss 0 C ss A (1 G sso AA 1 G ss) 

{Definition of bmh 3 } 

f s : State, ss : P States 

\ 


= < 


( , Is: State, ss : P States 

5, 5Sn) G \ 

' 1 ((s, 0) G B V 1 ^ ss) A (s, ss) G B 


3 ss 0 


V 


V 


(s, ss 0 U {_L}) G 


= < 


s : State, ss : P State± 
j ((s, 0) G B V 1 ^ ss) A (s, ss) G B J ) 

A ss 0 C ss A (1 G ss 0 AA 1 G ss) 

{Property of sets} 

( s : State, ss : P State± 

/ (((s, 0) G 5 V 1 ^ sso) A (s, sso) G B) ^ 

3 ss 0 • V 

\ (((s, 0) G B V 1 ^ (ss 0 U {-L})) A (s, sso U {_!_}) G B) J 
A ss 0 C ss A (1 G ss 0 AA 1 G ss) 

{Property of sets and predicate calculus} 


= < 



s : State, ss : P State± 




( (((s, 0) G B V 1 ^ sso) A (s, sso) G B) ^ 



3 sso • 

V 




y (((s, 0) G B V false) A (s, ss 0 U {_L}) GB) y 


< 

A ss 0 C 

ss A (1 G ss 0 ttlG ss) 

> 


{Predicate calculus} 


( s : State, ss : P State± 

/ ((s, 0) G B A (s, sso) G B) \ 

V 

= < I 3 ss 0 • (_L ^ ss 0 A (s, ss 0 ) G B) 

V 

\ ((s, 0) G B A (s, ss 0 U {-L}) G B) ) 
A ss 0 C ss A (1 G ssq AA 1 G ss) 


> {Predicate calculus} 
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= < 


s : State, ss : P State± 

( ((s, ss 0 ) G B V (s, ss 0 U {_L}) G B) \ 

3 ss 0 • A 

y (s, 0) G B A ssq G ss A (_L G sso Av - _L G ss) J 


V 

3 sso • (_L ^ sso A (s, sso) G B A sso C ss A (1 G sso ^ 1 G ss)) J 

{Predicate calculus} 

f s : State, ss : P State± 

( ((s, ss 0 ) G B V (s, ss 0 U {P}) G B) \ 

A 


= < 


3 ss 0 


V 


V (s, 0) G 5 A ss 0 C ss A (1 G ss 0 1 G ss) J 


3 ss 0 • ((s, ss 0 ) G B A ss 0 C ss A 1 ^ ss 0 A P ^ ss) 


□ 


Lemma L.B.2.17 


( ((s, ssq) G B V (s, ssq U {-L}) G B) \ 


3 ss 0 


A 


\ SS 0 C ss A (1 G sso 1 G ss) / 


/ (( s ) ss o) G B V (s, ssq U {P}) G B) \ 


3 ss 0 


A 


v ( s > {-L}) G B 


\ ss 0 C ss A (P G ssq P G ss) / 


Proof. 


( ((s, ss 0 ) G B V (s, ss 0 U {P}) GB) \ 


3 ss 0 


A 


\ SS 0 C ss A (P G sso P G ss) / 

/ 3 ss 0 • (s, ss 0 ) G B A ss 0 C ss A (P G ss 0 P G ss) 


{Predicate calculus} 

\ 


V 


y 3 sso • (s, sso U {P}) G B A sso C ss A (P G sso P G ss) / 

{Instantiation of existential quantification for ssq = {P} and ssq = 0} 
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( 3 ss 0 • (s, ss 0 ) G B A ss 0 C ss A (1 G ss 0 AA 1 G ss) \ 


V 

3 ssq • (s, sso U {_L}) G B A sso C ss A (1 G sso AA 1 G ss) 

V 

((s, {_L} U {_L}) G B A {_L} C ss A (_L G {_L} AA 1 G ss)) 

V 

\ ((s, 0 U {_!_}) G5A0CssA(lG0<^lG ss)) 

( 3 ss 0 • (s, ss 0 ) G 5 A ss 0 C ss A (1 G ss 0 <^> 1 G ss) 

V 

3 sso • (s, sso U {_L}) G B A sso C ss A (1 G sso AA 1 G ss) 

V 

((s, {_L}) G B A {_L} C ss A 1 G ss) 

V 

\ ((s,{_L}) GBAl^ss) 


/ 

{Property of sets} 

\ 


/ 


{Lemma L.B.5.3 and predicate calculus} 
/ 3 ssq • (s, ssq) G B A ssq C ss A (1 G ssq At 1 G ss) \ 


V 

3 ss 0 • (s, ss 0 U {_L}) G B A ss 0 C ss A (1 G ss 0 OlG ss) 

V 

((s, {_!_}) G B A 1 G ss) 

V 

\ ((s,{_L}) GBAl^ss) 


/ 

{Predicate calculus} 


^ ((s, ssq) G B V (s, ssg U {-L}) G B) ^ 


= 3 ss 0 


A 


v ( s > {-*-}) e B 


\ ss 0 C ss A (1 G ssq AA _L G ss) / 


□ 


B.2.11 bmh 0 i 3 2 

Lemma L.3.3.14 


bmho o bmhi o bmli 3 o bmh2(5) 
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( 

((s,0)G5A(s,{P})G5) 



V 


5, 55 

/ (s,{P})^A(s,0)^ \ 



A 


< 

\ (3 ssq • (s, ssq) G B A ssq C ss A P ^ ssq A P ^ ss) / 

> 


Proof. 


= 


bmh 0 o bmhi o bmh 3 o bmh 2 (5) {Lemma IL.B.2.161 } 

s : State, ss : P State± 

f ((s, ss 0 ) 6 bmh 2 (B) V (s, ss 0 U {!}) G bmh 2 (B)) 

3 ss 0 • A 

\ ( s , 0) G bmh 2 (5) A sso Q ss A (_L G sso ^ -L G ss) ) 

V 

3 ssq • ((s, ss 0 ) G bmh 2 (5) A ss 0 C ss A P ^ ss 0 A P ^ ss) 

{Definition of bmh 2 } 

s : State, ss : P State j_ 


= 


/ 


3 ss 0 


/ 


(s, ss 0 ) e < 


s : State, ss : P State±_ 

( s, ss) G B 
A 

((«,{-*-}) G (s,0) G B) 


\ 


V 


(s, ssq U {P}) G < 


s : State, ss : P State± 

( s, ss) G B 
A 

((«,{-*-}) GB«(s,0)G B) 


\ 


A 


{ s ) 0 ) £ 


s : State, ss : P State± 


| (s, ss) G B A ((s, {P}) gBa(s,0)g B) 
V A ssq C ss A (1 G ssq -L G ss) 


V 


3 ss 0 


/ I s : State, ss : P State j 

( ° G | (s, ss) G 5 A ((s, {P}) gBa(s,0)G 5) 


\ A ssq C ss A P ^ ssq A P ^ ss 


\ 

{Property of sets} 
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= 


3 ss 0 


\ 


s : State, ss : P State± 

l ( ((Sj sso) G 0 A ((s, {_L}) £ (s,|) £ B )) 

V 

\ (( s j ss o U {-L}) £ B A ((s, {-L}) £fi«(s,®)£ B)) ) 


\ 


A 


((s, 0) £ B A ((s, {_L}) £5 «(s,0)£ 5)) 
y A ssq C ss A (1 £ ss 0 -v^> _!_ G ss) 




V 

3 ss 0 


(s, sso) G B A ((s, {_L}) G B <=>• (s, 0) G 5) 

A sso C ss A ^ sso A ^ ss 

{Predicate calculus} 



s : State, ss : P State ± 




^ ((s, ss 0 ) G B V (s, ss 0 U {_L}) G 0) ^ 




A 



3 ss 0 • 

(5,0) £ B A (s,{i}) G 5 




A 




\ ss 0 C ss A (1 £ ss 0 1 £ ss) / 



V 




3 ss 0 • 

(s, ssq) E B A ((s, {-L}) G -0 (s, 0) G 0) A 


( A ss 0 C ss A _L ^ ss 0 A _L ^ ss 

/ > 


= 


s : State, ss : P State± 

( (s, 0) € 5 A (s,{_L}) G B 
A 

^ ((s, ss 0 ) G B V (s, ss 0 U {_L}) G 0) ^ 
3 ss 0 • A 

\ ss 0 C ss A (1 £ ss 0 ^ 1 £ ss) ) 


{Predicate calculus} 

\ 


V 

v 

3 ss 0 


7 


(s, sso) E B A ((s, {_L}) G B Av- (s, 0) G 5) 
A ss 0 C ss A _L ^ ss 0 A _L ^ ss 


{Lemma IL.B.2.171 } 
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= < 


= < 


= < 


s : State, ss : P State± 

( M)g5A(s,{±})g£ 


\ 


A 


l kW)£S 

v 

/ ((■?, ss 0 ) G B V (s, ss 0 U {_L}) G B) \ 


V 




3 ss 0 


V 


A 


V 

3ss 0 


\ ss 0 C ss A (_L G ss 0 Al 6 ss) / 
(s, ss 0 ) G B A ((s, {_!_}) GBa(s,|)G 5) 


A ss 0 C ss A _L ^ ss 0 A _!_ ^ ss 

{Predicate calculus: absorption law} 

s : State, ss : P State± 

((s, 0) G 5 A (s, {_!_}) G B) 

V 

(s, ssq) G 5 A ((s, {-L}) G B -v=> (s, 0) G 5) 


3 ss 0 


A ss 0 C ss A _L ^ ss 0 A _L ^ ss 


{Predicate calculus} 


s : State, ss : P State± 

(( s ) 0) G 5 A (s, {!}) G B) 

V 

( (s,{l})G5A(s,0)G5 
A 


y 3 ss 0 • ^ (s, ssq) G 5 A ssq C ss A 1 ^ ssq A 1 ^ ss j J 


V 


/ (s, {i}) ^ 5 A (s,0) ^ 5 


\ 


A 


y 3 sso • ^ (s, ss 0 ) G B A ss 0 C ss A _!_ ^ ss 0 A _L ^ ss j y j 

{Predicate calculus: absorption law} 


s : State, ss : P State j_ 

(M)G5A(s,{l})G5) 

V 

< /(s,{l})^A(s,0)^ \ " 

A 

^ 3 55q • ^ (5, 55g) ^ B A 55q C 55 A _L ^ 55g A _L ^ 55 ^ j 
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□ 


Theorem T.3.3.2 BMHO A BMH1 A BMH2 A BMH3 AA bmho.i,3,2(5) = B 


Proof. The implication follows from Lemma L.3.3.15 While the reverse implication 


follows from the fact that bmh 0 .i, 3.2 is a fixed point of bmho, 12 (Lemma L.3.3.16) 
and Lemmas IL. 3.3.1 Ol to IL . 3.3.1 21 and IL . 3.3.1 7l □ 


Lemma L.3.3.15 BMHO A BMH1 A BMH2 A BMH3 bmh 0 ,i,3,2(5) = B 


Proof. 


bmh 0i i i3 ,2 (5) 

s : State, ss : P State± 
(M)g5A(s,{T})g5) 

V 

= < ( ( S ,{1})^A( S ,0)^ 

A 


{Definition of bmh 0 1 . 3 , 2 } 


= 


= 


\ 


^ 3 ss 0 : P State± • ^ (s, sso ) G B A sso C ss A _L ^ sso A _L ^ ss j 

{Predicate calculus} 

s : State, ss : P State± 

((s, 0) G B A (s, {_L}) G B) V (( 5 , {_!_}) £ B A (s, 0) t B)) 

A 

(( s > 0) G 5 A (s, {!}) G B) \ 

V 

(3 ss 0 : P State±_ • {s, sso ) G B A sso C ss A _L sso A _L ss) ) 

{Predicate calculus} 

s : State, ss : P State± 

(M) G B^(s,{±}) G B) 


A 


\ 


/ ((s, 0) G 5 A (s, {!}) G B) 

V 

\ (3 sso : P State ± • (s, sso ) G B A sso C ss A _L ^ sso A _L ^ ss) ) 

{Assumption: B is BMH2-healthy} 
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= 


= < 


= 


= 


s : State, ss : P State± 

((s,0)g£A(s,{±})g5) 

V 

(3 ss 0 : P State± • (s , ss 0 ) G B A ss 0 C ss A 1 ^ ss 0 A _L ^ ss) 

{Assumption: B is BMHO-healthy} 

s : State, ss : P State± 

((s,0)g5A(s,{±})g5) 

V 

/ 3 sso : P State±_ • (s, sso) G B A sso Q ss A _L ^ sso \ 

A 

\ (s, ss) G 5 A 1 ^ ss / 

{Predicate calculus: instatiation of existential quantifier for sso = ss} 

s : State, ss : P State± 

((s, 0) G 5 A (s, {-L}) G B) 

V 

/ / (3 ss 0 : P State± • (s, ss 0 ) G B A ss 0 C ss A 1 ^ ss 0 ) \ \ 

V 

\ ((s, ss) G B A 1 ^ ss) / 


A 


\ ((s, ss) G 5 A _L ^ ss) 


/ 

{Predicate calculus: absorption law} 


{Assumption: B is BMH2-healthy} 


s : State, ss : P State± 

((s, 0) G 5 A (s, {-L}) G B) 

V 

((s, ss) G B A 1 ^ ss) 

= {s : State, ss : P State ± | (s, 0) G B V ((s, ss) G B A 1 ^ ss)} 

{Assumption: B is BMHO, BMH2 and BMH3-healthy and Lemma L.B.2.24 } 

= B 


□ 


Lemma L.3.3.16 bmh 0 .i 2 ° bmh 0i i i 3 . 2 (B) = bmh 0 ,i i 3 i 2 (B) 


Proof. 


bmh 0i i, 2 ° bmh 0 ,i, 3i2 (B) 


{Definition of bmh 0 ,i. 2 } 
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= 


= 


= 


= 


= 


s : State, ss : P State± 

3 sso : P State± • 

((s, ss 0 ) G bmh 0 ,i |3 , 2 (B) V (s, ss 0 U {_L}) G bmh 0 ,i, 3 , 2 (B)) 
A ((s, {_!_}) G bmh 0 ,i i3 ,2(5) (s,0) G bmh 0 ,i, 3 , 2 (.B)) 

A ss 0 C ss A (1 G ssq AlG ss) 


{Lemma L.B.2.22 and Lemma L.B.2.23 and predicate calculus} 

s : State, ss : P State± 

3 sso : P State± • 

((s, ss 0 ) G bmho, 1 , 3,2 (-B) V (s, ss 0 U {_L}) G bmh 0 ,i, 3 , 2 ( 5 )) 

A ss 0 C ss A (1 G ss 0 <=$■ 1 G ss) 

{Predicate calculus} 


s : State, ss : P States 
3 ss 0 : P State± * 

V 

3 ss 0 : P State± * 


( s, ss 0 ) G bmho,i.3, 2 (5) 

A ssq C ss A (1 G ssq 1 G ss) 


(s, ss 0 U {_L}) G bmh 0 ,1,3,2(5) 

A ss 0 C ss A (_L G ss 0 O -L G ss) 

{Lemma IL.B. 2.201 and Lemma IL.B.2.2I1 } 

s : State, ss : P State± 

((s,0)g5A(s,{_L})g5) 

V 

(s,{l})^A(s,0)^ \ 

A 

3 ssq : P State± • (s, ssq) G B A ssq C ss A 1 ^ ssq A 1 ^ ss / 


V 

(( 5 > 0) G 5 A (s, {!}) G B) 

s : State, ss : P State± 
(M)G5A(s,{l})G5) 

V 

/ (s, {!}) ^ 5 A (s,0) ^ 5 
A 


{Predicate calculus} 


\ 


\ 3 sso : P State ± • (s, sso) G B A sso C ss A _L ^ sso A 1 ^ ss / j 

{Definition of bmho.i.3,2(5)} 

= bmh Q 1 3 2 ( 5 ) 
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□ 


Lemma L.3.3.17 (bmh 0 .i, 3 i 2 (B) — B) => BMH3 


Proof. 


BMH3 


= V so : State 


= V s 0 : State 


= V So : State 


= V s 0 : State 


= V s 0 : State 


{Definition of BMH3} 

\ 


{Predicate calculus} 


\ (V sso : P State _l • (so, sso) £ L ^ sso) / 

( (3 ss 0 : P State ^ • (s 0 , ss 0 ) G B A 1 G ss 0 ) \ 

\((s o ,0)g5) / 

{Assumption: bmh 0 il , 3 , 2 ( 5 ) = B} 

(3 ss 0 : P State ±_ • (s 0 , ss 0 ) G bmh 0 ,i,3, 2 (5) A _!_ G ss 0 ) \ 

=> 

((so,0) G bmh 0 ,i, 3 , 2 ( 5 )) / 

{Lemma IL.B. 2.191 and Lemma [L .B.2. 221 } 

( 3 ss 0 : P State± • \ \ 

/(MlESAfellJlED) \ 




V 


V 


l (s, {!}) ^ 5 A (s, 0) ^ 5 
A 

( (s, sso) G B A sso C ss 

3 ss 0 • 

y y A _!_ f. sso A _L ^ ss 


\ 


A 

V -L G ss 0 




V (( s j 0) G 5 A (s, {!}) G 5) / 

{Predicate calculus} 

^ 3 sso : P State± • \ \ 

((s, 0) G 5 A (s, {_L}) G 5) A _L G ss 0 


V ((s,0)G5A(s,{±})G5) 


/ 

{Case analysis on ssq} 
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= V s 0 : State 


((s, 0) e JA (s, {-L}) 6 B) \ 
=*• 

(( s ,0)eSA( s ,{±»eS) / 


= true 


{Predicate calculus} 


□ 


Lemma L.B.2.18 bmh 0 ,1,3.2 0 bmh 0 .i i 3 i 2 ( 5 ) = bmh 0 .i.3 i 2(B) 


Proof. 


bmh 0 .13 2 0 bmho i g 2 ( 5 ) {Definition of bmho.i.3,2} 

s : State, ss : P State± 

(0,0) G bmh 0 ,i,3,2(5) A (s, {_!_}) G bmh 0 ,i,3,2(5)) 
v ! 
/ (s, {_L}) bmh 0 ,i,3,2(5) A (s, 0) (£ bmh 0 ,i,3,2(5) \ i 

A 

y 3 ss 0 • ^ (s, ss 0 ) G bmh 0 .i i 3,2(5) A ss 0 C ss A _L ^ ss 0 A _L ^ ss j J 

{Lemma IL. B. 2.221 and Lemma IL.B.2.2‘11 } 



s : 

State, ss : P State± 



((s, 0) G B A (s, {_L}) G B A (s, 0) G B A (s, {_L}) G B ) 



V 




( -1 ((s, 0) G B A (s, {_L}) G B) A ((s, 0) G B A (s, {_L}) G B) ^ 




A 


< 


^ 3 ss 0 • ^ (s, ss 0 ) G bmh 0 .i i 3, 2 (5) A ss 0 C ss A _L ^ ss 0 A _L ^ ss j y 

> 


{Predicate calculus and definition of bmh 0 ,i, 3 , 2 } 
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s : State , ss : P State± 
((s,0)g£A(s,{P})g5) 

V 

M( S ,0)6fiA( S ,{l})6B) 


= < 


v 


3 ssq • 



/ 

/ 

s : 

State, ss : P State±_ 


\ 

\ 




((s, 0) G B A (s,{i}) G B) 





(s, ssq) G < 


V 







( (s,W)^A(s,0)^ 

\ 


> 





A 








1 3 ssq • ( (s, ss 0 ) G B A ss 0 C ss A 1 ^ ss 0 A _L ^ ss 

> J 

> 


V 

\ A ssq C ss A 

_L ^ ssq A _L ^ ss 


/ 


{Variable renaming and property of sets} 


= < 


s : State, ss : P State± 

((s, 0) e B A (s, {!}) G B) 

V 

( n(M)65A(s,{l})eS) 

A 

3 ss 0 • 

5,0) G B A (s,{_L}) G B ) 

V 

( ( S ,{1})^A( S ,0)^ 

A 


\ 


\ 


\ 


y 3 SSi • ^ ^5, 55^) G B A SSi G SSq A _L ^ SSi A _L ^ SSq ^ J 
y A ssq Q ss A _L ^ ssq A J_ ^ ss 


/ J 

{Predicate calculus} 
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= < 


= < 


= < 


= < 


s : State, ss : P State± 

((s,0)g5A(s,{±})g5) 

V 

( (3 ss 0 • ((s, 0) G B A (s, { _L}) G B) A ss 0 C ss A 1 ^ ss 0 A _!_ ^ ss ) ^ 

V 

( (s,{P})^5A(s,0)^5 \ 


3 ss 0 


V 


A 


/ 


) J 


3 ssi • ^ (s, ssi) 6 5 A ssj C sso A 1 ^ ssi A 1 ^ sso j 
\ A sso C ss A _L ^ sso A L ^ ss 

{Predicate calculus: quantifier scope} 

s : State, ss : P State± 

((s,0)g5A(s,{±})g5) 

V 

( (((-A 0) ^ B A (s, {-L}) G B) A 3 sso • ss 0 C ss A L ^ ss 0 A _!_ ^ ss) ^ 

V 

/ (s, {±}) ^ B A MW B \ 


A 

3 SSi, SSq 


(s, ssi) G B A ssi C sso A 1 ^ ssi A 1 ^ sso 
y y y A ss 0 c SS A ± ^ ss 0 A ± ^ ss 11 J I 

{Predicate calculus: absorption law} 

s : State, ss : P State± 

((s, 0) G 5 A (s, {_!_}) G B) 

V 

( (s,{±})£BA(s,(!))tB \ 

A 

/ 

SSi) G B A G A _L ^ SSi A _L ^ 55 q 
A SSq c 55 A _L ^ SS 0 A _L ^ 55 


3 SSi, 


V 


s : State, ss : P State± 

((s, 0) G B A (s,{_L}) G B ) 

V 

( ( S ,{l})^A(s,0)^ 

A 


J ) 

{Predicate calculus} 


\ 


y 3 ssi • ^ (s, ssi) G B A ssi C ss A 1 ^ ssi A 1 ^ ss j J J 

{Definition of bmh 0 ,i. 3 , 2 } 

= bmhoi,3, 2 (B) 
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□ 


Lemma L.B.2.19 

(s, ss) G bmh 0 ,i i 3, 2 (5) 


v 


\ \ 3 ss 0 • ((s, ss 0 ) G 5 A ss 0 C ss A 1 ^ ss 0 A 1 ^ ss) / / 


Proof. 


[s, ss) G bmh 0 ,i, 3 , 2 (-B) 

^ s : State , ss : P State±_ 

((s,i)GBA(s,{i})G5) 

V 

/ (s, {-L}) ^ 5 A (s,0) ^ 5 
A 


{Definition of bmho. 1 , 3 , 2 } 


= (s, ss) e < 


\ 


\ 3 sso • ((s, sso) G fi A sso C ss A 1 ^ sso A 1 ^ ss) / J 

{Property of sets} 

( ((s, 0) G S A (s, {_L}) G B) \ 

V 

s,{l})^A(s,0)^ \ 


A 


\ \ 3 sso • ((s, ssq) G B A sso C ss A 1 ^ ssq A 1 ^ ss) / 


/ 


□ 


Lemma L.B.2.20 

3 ssi : P State± • (s, ssi U {_!_}) G bmh 0 .i, 3 , 2 (-B) A ssi C ss A (1 G ssi 1 G ss) 
((s, 0) G B A (s, {!}) G B) 
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Proof. 


3 ssi : P State± • (s, ssi U {_L}) G bmh 0 .i i 3 , 2 (B) A ssi C ss A (1 G ss\ AA 1 G ss) 

{Definition of bmhoi.3,2} 

/ 3 ssi : P State± • 

/ 

s : State, ss : P State± 

(M)g5A(s,{P})g5) 




(s, ssiU{P}) G < 


V 


; s ,{i})^A( s ,i)^ 




A 


3 ssq • ((s, ssq) G B A ssq C ss A 1 ^ ssq A 1 ^ ss) / 


A 




\ ssi C ss A (1 G 1 G ss) 

( 3 ssi : P State± • 

( (M)e£A(s,{_L})Gfl) 

V 

( (s,{L})^BA(s,d})^B 
A 

/ 

( s, ss 0 ) G B A ss 0 C (ssi U {3-}) 
A _L ^ ss 0 A ± (ssi U {_L}) 


V 


{Property of sets} 

\ 


\ 


3 ssq : P States 


\ 


A 


AA 


\ ssi C ss A (1 G s«i 1 G ss) 


3 ssi : P State j 


! 

{Property of sets and predicate calculus} 


((s, 0) G B A (s, {_!_}) G B) A ss^ C ss A (_L G ss^ AA L G ss) 

{Predicate calculus: instatiation of existential quantifier for ssi = ss} 

(M) G B A (s,{l}) G B) 


□ 


Lemma L.B.2.21 

3 ssi : P State± • (s, ssi) G bmh 0; i, 3 , 2 (-B) A ssi C ss A (1 G ssi 1 G ss) 
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f (M)g5A(s,{±})g5) 
V 

A 


\ \ 3 ssq : P State ± • (s, ssq) G B A ssq C ss A _L ^ ssq A _L ^ ss 


\ 


\ 


) 


Proof. 

3 ssi : P State± • (s, ssi) G bmh 0i i, 3 , 2 (-B) A ssi C ss A (1 G ssi <^> 1 G ss) 




/ 3 ssi : P State± • 

f s : State, ss : P State± 

((s, 0) G 5 A (s, {i}) G B) 

V 

( (s, {!}) ^ S A (s,0) ^ B 
A 


{Definition of bmho.1,3,2} 

\ 


(s, ssi) G < 


\ 


\ 3 SSo • ((s, SSq) G fi A SSq c ss A 1 ^ SSq A 1 ^ ss) / j 


A 


\ ssi C ss A (1 G ssi ■w- 1 G ss) 




f 3 ssi : P State± • 

( ((s, 0) G B A (s, {!}) G B) 

V 

/ (s,{T})^BA(s,d})^B \ 

A 

\ \ 3 ss 0 • ((s, ss 0 ) G B A ss 0 C ssj A 1 ^ ss 0 A 1 ^ ssi) / J 


) 

{Property of sets} 

\ 

\ 


A 


y ssi C ss A (1 G ssi 1 G ss) 


/ 


{Predicate calculus} 
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(( 3 ssi : P State± • ((s, 0) G 5 A (s, {_L}) G 5) 
A ssi C ss A (P G ssi AA 1 G ss) 






\ 


V 


( (s,{P})^5A(s,0)^5 


V 


A 


V 


/ 3 sso, ssi : P State j_ • (s, sso) E B A ssq C ssi \ 
A _L ^ 55q A _L ^ 

\ A SSi C 55 A (1 G 55i 1 G 55 ) 


(( 3 ssi : P State± • ((s, 0) G 5 A (s, {P}) G 5) 
A ssi C ss A (1 G ssi 1 G ss) 


V 


;s,{i})^A(s,0)^ 


/ 

{Predicate calculus} 

\ 




A 




y \ 3 sso : P State± • (s, sso) G B A sso C ss A 1 ^ sso A 1 ^ ss / J 

{Predicate calculus: instatiation of existential quantifier for ssi = ss} 

( ((s, 0) G 5 A (s, {P}) G B) \ 

V 

( (s,{P})^A(s,0)^ \ 


V 


A 


\ 3 ssq : P State± • (s, ssq) G B A ssq C ss A P ^ ssq A P ^ ss / 


/ 


□ 


Lemma L.B.2.22 (s, 0) G bmh 0 ,i,3,2(5) = (s, 0) G 5 A (s, {P}) G 5 


Proof. 


[s, 0) G bmh 0 ,i, 3 , 2 (B) 

f s : State , ss : P State± 

((s, 0) GBA(s,{P}) G 5) 


{Definition of bmh 0 , 1 , 3 , 2 } 


= M) e < 


v 


l (s,{P})^A(s,0)^ 


\ 


A 


y 3 sso • ^ (s, ss 0 ) G B A ss 0 C ss A P ^ ss 0 A P ^ ss j y J 

{Property of sets} 
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( (M)g5A(5,{±})g5) 


V 


/ ( S ,{±})^5A(S,0)^5 




A 


y y 3 ssq • ^ ( 5 , 55q) G B A G 0 a _L ^ ssq A _L ^ 0 ^ y y 

{Property of sets and one-point rule} 

(M) € B A (S, U}) e B) \ 

= V {Predicate calculus} 

V ((5,{±})^5A(s,0)^5A(5,0)g5) 

= (5,0) G B A (5,{1}) G 5 


□ 


Lemma L.B.2.23 (s, {_L}) G bmh 0 .i, 3 , 2 (-S) = (s,0)g5A (s, {-L}) G 5 

Proof. 


[s , {_!_}) G bmh 0 , 1,3,2(5) 

s : State, ss : P State± 

(M) e 5 A (s,{_L}) G 5) 

V 

/ (s, {!}) ^ B A (s,0) ^ 5 
A 


{Definition of bmh 0i i, 3 , 2 } 


= (a, {_L}) e l 


\ 


y 3 55o • ^ (5, 55 q) G B A 55 q G 55 A _L ^ ssq A _L ^ 55 ^ y J 

{Property of sets} 

/((«,()eSA(i,{i})eS) \ 

V 

/(Mi})s'«A( s ,»)s'« \ 


V 


A 


y 3 55o • ^ (5, 55q) G B A 55q G A _L ^ 55q A _L ^ { _L } ^ y 

{Property of sets} 


/ 


/((i,()eIA(»,{i})eB) \ 

= V 

V ((«, {-L}) ^ B A (s, 0) £ B A false ) / 
= (5,0) GfiA(s,{l}) G 5 


{Predicate calculus} 


□ 
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Lemma L.B.2.24 Provided B is BMHO and BMH2 -healthy, 

B = (B {ss : P State± | _L e ss}) U {s 0 : State, ss : P State± | ( s 0 , 0) G B} 

BMH3 


Proof. 

B = (B {ss : P State± | _!_ e ss}) U {so : State, ss : P State± | (so, 0) G B} 


{Property of sets} 

<G> (B = {s : State, ss : State± | ((s, ss) G B A 1 ^ ss) V (s, 0) G B}) 

{Property of sets} 

/ (s, ss) G B => (((s, ss) G B A 1 f ss) V (s, 0) G B) \ 


<G> V s, ss 


A 


V ((((a, ss) G B A 1 ^ ss) V (s, 0) G B) A (s, ss) G B) ) 

{Propositional calculus} 

/ ((s, 0) ^ B ((s, ss) ^ B V ((s, ss) G 5 A _L ^ ss))) \ 


V s, ss 


A 


<G> V s, ss 


\ ((((s, ss) ^ B V 1 G ss) A (s, 0) ^ B) V (s, ss) G 5) / 

{Propositional calculus: absorption law} 

/ ((s, $) f B => ((s, ss) ^ B V _L ^ ss)) \ 

{Propositional calculus} 


A 


V (( s ? 0) ^ B V (s, ss) G 5) , 

/ V s, ss • (s, 0) f B => ((s, ss) G 5 _L f ss) \ 




A 


J 


\ V s, ss • (s, 0) G B (s, ss) G B 

{Propositional calculus: introduce term} 
/ V s, ss • (s, 0) f B =>- ((s, ss) G B => 1 ^ ss) \ 




A 


\ V s, ss • (s,$) £ B ((s, ss) G B V (1 G ss A 1 f ss)) / 

{Propositional calculus} 
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( Vs, 

ss • 

(s,0)^5^ 

((s, ss) 

G B 

=>- _L ^ ss) ^ 

A 







Vs, 

ss • 

(s, 0) G B 

((s, ss) 

G B 

V _L G ss) 


A 







V Vs, 

ss • 

(s, 0) GfiA 

((s, ss) 

G B 

V _L ^ ss) 

7 

( Vs, 

ss • 

(s,0)^S^ 

((s, ss) 

G B 

=>- _L ^ ss) ^ 

A 







Vs, 

ss • 

((s, 0) G B A 

_L ^ ss 

) =* 

's, ss) G B 


A 







V Vs, 

ss • 

((s, 0) G B A 

1 G ss 

)=► 

's, ss) G B 

7 

( Vs, 

ss • 

(s,0)^B^ 

((s, ss) 

G B 

=> _L ^ ss^ 


A 







Vs, 

ss • 

((s, 0) G B A 0 C ss 

A _L 

^ 0 A ± ^ 

ss 

A 







V Vs, 

ss • 

((s, 0) G B A 

1 G ss 

)=► 

[s, ss) G B 



{Propositional calculus} 


{Property of sets} 


\ 




{Assumption: B is BMH2-healthy and Lemma L.B.5.3} 


/ Vs ss • (s, 0) ^ B =>• ((s, ss) G B =>• _L ^ ss) \ 

A 




V s, ss • ((s, 0) G B A 0 C ss A 1 ^ 0 A 1 ^ ss) =>■ (s, ss) G 1? 


A 

^ V s, ss • ((s, {_!_}) G B A {_L} C ss A 1 G {_L} A 1 G ss) =>• (s, ss) G B / 

{Assumption: 5 is BMHO-healthy} 

<=>• V s, ss • (s, 0) ^ B =>• ((s, ss) G 5 =>• 1 ^ ss) 

{Propositional calculus: move quantifier} 

-v=> V s • (s, 0) ^ B =>• V ss • ((s, ss) G B =>- A ^ ss) {Definition of BMH3} 


«BMH3 


□ 


B.3 Operators 

B.3.1 Angelic Choice 

Lemma L.3.5.1 (x :=bm ± e) U BM± (x := B m e) = (x := BM e) 
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Proof. 


(x : bm± e ) L\ BM± (x '.—bm e ) 
( {s : State, ss : P State± | 

n 


{Definition of :=bm ± , -=bm and U SM± } 
s fi) (i e) G ss} \ 

{Type: _L ^ P State} 


\ {s : State, ss : P State \ s © (x i->- e) e ss} / 

/ {s : State , ss : P State± \ s © (x (->• e) e ss} \ 


= n 

\ {s : State, ss : P State± \ s © (x H> e) G ss A _L ^ ss} ) 

{Property of sets and predicate calculus} 

= {s : State, ss : P State± \ s © (x e) G ss A _L ^ ss} {Type: _L ^ P State} 

= {s : State, ss : P State \ s © (x (->• e) e ss} {Definition of :=bm} 

= (x :=bm e) 


□ 


Lemma L.3.5.2 T B m ± A B m ± B = T B m ± 


Proof. 

T bm ± LJ bm ± B 
= 0 n B 


— T bm ± 


{Definition of T B m ± and U B m ± } 
{Property of sets} 
{Definition of T bm ± } 


□ 


Lemma L.3.5.3 Lbm ± LI bm ± B = B 


Proof. 


-Lbm ± L bm ± B 
= (State x P State±) fl B 


{Definition of L B m ± and U B m ± } 
{Property of sets} 
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B.3.2 Demonic Choice 

Lemma L.3.5.4 (x :=bm e) \1 BM± {x :=bm ± e) = (x :=bm ± e) 
Proof. 


(x :—bm e) \1 BM± (x :—bm ± e) {Definition of B m, '—bm ± and riMi) 

( {s : State, ss : P State \ s © {x (->• e) E ss} \ 

U I {Type: _L ^ P State} 


: State, ss : P State± \ s © (x H > e) G ss} / 

/ {s : State , ss : P State \ s © (x H> e) G ss A _L ^ ss} \ 
U 


{Property of sets} 


\ {s : State , ss : P State± \ s © (x i-> e) G ss} / 

= {s : State, ss : P State \ (s © (x >->■ e) G ss A _L ^ ss) V s © (x (->• e) E ss} 

{Predicate calculus: absorption law} 

= {s : State, ss : P State \ s © (x i->- e) G ss} {Definition of :=bm ± } 

= (x :=bm ± e ) 


□ 


Lemma L.3.5.5 -Lbm ± n B m ± B = Tbm ± 

Proof. 

Pbm ± A bm± B {Definition of _L B m ± and n BM± } 

= (State x P State± ) U B {Property of sets} 

= (State x P State±) {Definition of P B m ± } 

= Pbm ± 


□ 


Lemma L.3.5.6 T B m ± n B m ± B = B 

Proof. 

{Definition of T B m ± and fl B m ± } 
{Property of sets} 


T bm ± n BM± B 
= 0U B 
= B 


□ 
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B.3.3 Sequential Composition 


Theorem T.3.5.1 Provided B 0 is BMHO -healthy, 

( {s 0 , ssq | (s 0 , State±) G B 0 } ^ 

U 

{so, ssq | (sq, {si | (si, ssq) G -Bi}) G B 0 } / 


Proof. 

Bo ibm ± B\ 


{Definition of ] BM } 


= < 


[ s 0 

State, ss 0 : P State± 



— 

ss : P State± • (s 0 , ss) G B 0 A 




( L G ss 




V 




^ (1 ^ ss A ss C {si : State (si, ss 0 ) G B x }) j 

> 


{Predicate calculus and property of sets} 

\ 


/ f s 0 : State, ss 0 : P State± 

3 ss : P State j_ • (sq, ss) G B 0 A _L G ss 


s 0 : State, ss 0 : P State 
3 ss : P State±_ • (s 0 , ss) G B 0 

\ [ A (_L fi ss A ss C {si : State | (si, sso) G B {\) J ) 

{Propositional calculus and property of sets} 

( f s 0 : State, ss 0 : P States \ \ 

3 ss : P State± • (s 0 , ss) G B 0 
A 1 G ss A ss C State± 


s 0 : State, ss 0 : P States 
3 ss : P State± • (so, ss) G B 0 
A _L ^ ss A ss C {si : State | (si, sso) G B{\ J ) 

{_L in State± and _L not in State} 
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s 0 : State, ss 0 : P States 


\ 

1 


3 ss : P State ± • ( sq , ss) G B 0 

A 1 G ss A ss C State ± A 1 G State± , 



u 





So : State, ssq : P States 

\ 


> 


3 ss : P State ± • (sq, ss) G B 0 


> 

\ 


A _L ^ ss A ss C {si : State (si, ss 0 ) G ifi} 

V 

< 

A _L ^ {si : State (si, ss 0 ) G Bi} 

> 

/ 


{Assumption: B 0 is BMHO-healthy and Lemma L.B.1.1} 


( {so : State, sso : P State± | (so, State _l) G B 0 } ^ 

u 

(s 0 : State, ss 0 : P State± | (s 0 ,{si : State | (si, ss 0 ) G B{\) G B 0 } ) 


□ 


Lemma L.3.5.7 T B m ± ; bm± B = T B m ± 


Proof. 

T bm ± ; BM± B {Definition of T BM± } 

= ^ )BM ± B 

{Definition of ] BM± (Theorem 

( {s 0 : State, ss 0 : P State± | (s Q , State± ) G 0} ^ 

u 

{so : State, sso : P State± | (so, {si : State | (si, sso) G B i}) G 0} / 

{Property of sets} 

= {so : State, ssq : P State± \ false} U {so : State, ssq : P State± \ false} 

{Property of sets} 

= 0 U 0 {Property of sets and definition of T B m ± } 

= T B m ± 


T.3.5.1 


as T 


BM _l 


is BMHO-healthy)} 


□ 


BM± >BM ± 


BM± 


Lemma L.3.5.8 _!_ 


B = T 
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Proof. 


-Lbm ± ; BM± B {Definition of L BM± } 

= (State x P State±) ', B m ± b 

{Definition of ', BM± (Theorem T.3.5.1 as _L bm ± is BMHO-healthy)} 

^ | so : State, sso : P State± | (so, State ±) G (State x P State ±) } ^ 

U 

so : State , sso : P States 

\ y I ( s cn{ s i : State \ (si, ss 0 ) G B }) G (State x P State±) j ) 

{Property of sets} 

= {so : State , sso : P State± \ true} U {so : State, sso : P State± \ true} 

{Property of sets} 

= (State x P State±) {Definition of _L bm ± } 


— -L BM i 


□ 


B.4 Relationship with Binary Multirelations 

B.4.1 bmb2bm 

Theorem T.3.6.1 (bmb2bm-is-bmh up ) 

bmh up o bmb2bm(hmh 013 2 (B)) = bmb2bm(bmh 0 ± 3 2 (B)) 

Proof. 

bmh up ° bmb2bm(hmho x,s, 2 {B)) {Definition of bmh up } 

s : State, ss : P State± 

3 ss 0 • (s, ss 0 ) G bmb2bm(hmh 0 13 2 (B)) A _L ^ ss 0 A ss 0 C ss A _!_ ^ ss 



{Lemma IL.B.4.11} 
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= < 


= < 


= < 


s : State, ss : P State± 

f s : State, ss : P State± 

((s, 0) G B A (s, {_L}) G B) A _L (£ ss 
V 

( (s,{±})tBA(s,(H)tB 

A 


3 ss 0 • (s, ss 0 ) G < 


y 3 ss 0 • ^ (s, ssq ) G B A ssq C ss A _L ^ sso A _L ^ ss 


A 


_L ^ ssq A ssq C ss A _L ^ ss 


s : State, ss : P State± 

( ((s, 0) G B A (s, {_L}) G B) A _L ^ sso 
V 

( (s,{T})^BA(s,d})^B 


3 ss 0 


A 


V 


{Variable renaming and property of sets} 

\ 


A 


y 3 ss\ • ^ (s, ssi) G B A ssi C ss 0 A 1 ^ ssi A _L ^ ss 0 j J 


) 


_L ^ sso A sso C ss A P ^ ss 

{Predicate calculus: distributivity and quantifier scope} 
s : State, ss : P State± 

((s, 0) G B A (s, {P}) G 5) A ± ^ ss A 3 sso • P ^ sso A sso C ss 
V 


A 


3 SSi, SSq 


/ (s, ssi) G 5 A ssi C ssq A 1 ^ ssi A 1 ^ ssq \ 


A 


\ P ^ ss 0 A ss 0 C ss A _L ^ ss 


y 


y j 


{Predicate calculus: case-analysis on ss 0 } 
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s : 

State, ss : P State± 




((s, 0) G B A ( 

s, {_L}) G B) A 1 ^ ss 




V 






( (s, {!}) ^ B A (s,0) ^ B 

\ 




A 

/ (s, ssi) G B A ssi C sso A 1 ^ ssi A 1 ^ sso \ 





3 ssi, sso • 

A 





V 

\ _L ^ ss 0 A ss 0 C ss A _L ^ ss / 

) 

> 


{Predicate calculus} 


State, ss : P 

State j_ 


((s, 0) G B A 

V 

(a, {_L}) e 

5) A _L ^ ss 

(«, {-L}) £ 

B A (s, 0) 

iB 

A 



^ 3 ssi • ( ( 

s, ssi) G 5 

A ssi C ss A _L ^ ssi A _L ^ ss 


= bmb2bm(hmh 0 x 3 2 (B)) 


\ 



{Lemma IL.B.4.41} 


□ 


Lemma L.3.6.1 BMH AA bmh up (i?) = B 


Proof. 


BMH {Definition of BMH} 

V s : State ; sso, ssi : P State • ((s, sso) G B A sso C ssf) =>■ (s, ssi) G B 

{Predicate calculus: quantifier scope} 

V s : State ; ssi : P State • 

(3 sso : P State • ( s, sso) G B A s«o C ssi) (s, ssi) G B 

{Property of sets: subset inclusion} 



AA {s : State, ss : P State | 3 sso : P State • (s, sso) G B A sso C ss} C 5 

{Property of sets: subset inclusion} 

44- {s : State, ss : P State | 3 sso : P State • (s, sso ) G B A sso C ss} UB = B 

{Property of sets: set union} 
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«=> < 

/ 

s : State, ss : P State 

(3 ss 0 : P State • (s, ss 0 ) G B A ss 0 C ss) j 
V 


< 

(s, ss) G B J 


{Predicate calculus: instantiation of existential quantifier for ssq = ss} 


-v=> {s : State, ss : P State | 3 sso : P State • (s, sso) G B A sso C ss} = B 

{Definition of bmh up ) 


<^> bmh up (B) 


□ 


Lemma L.B.4.1 

bmb2bm(bmh 013 2 (B)) 


s : State, ss : P State± 

((s, 0) G B A (s, {_L}) G 5) A 1 ^ ss 
V 

A 

y 3 ss 0 • ^ (s, sso) G B A sso C ss A _L ^ sso A _L ^ ss j y 

Proof. 


bmb2bm(bmh 0)1) s,2(B )) {Definition of bmb2bm} 

= {s : State, ss : P State± | (( s, ss) G bmh 0 13 2 (B) A _L ^ ss)} 

{Definition of bmho.1,3,2} 


f s : State, ss : P State± 

( s : State, ss : P State± 

(M) G5A (*,{!}) G 5) 

= < ! (v=)d / (s , {j _})£s A ( s ,0)^s \ 

A 

^ 3 sso • ^ (s, ss 0 ) G B A ss 0 C ss A _L ^ ss 0 A _L ^ ss j j J 

A _L # ss 


{Property of sets} 
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= 


s : State, ss : P State± 

( (M)g3A( S ,{±})g5) 
V 


\ 


\ 


A 


y y 3 sso • ^ (s, ss 0 ) G B A ss 0 C ss A 1 ^ ss 0 A 1 ^ ss j J J 
A _L ^ ss 

{Predicate calculus} 

s : State, ss : P State± 

((s, 0)6 5 A (s, {_L}) 6 5) A 1 ^ ss 
V 

= < (», {-L}) * -S A (», 0) i B \ 

A 

^ 3 ss 0 • ^ (s, sso ) 6 5 A sso C ss A 1 ^ sso A 1 ^ ss j y 

□ 


Lemma L.B.4.2 (s, 0) G bmb2bm(bmh up ) = (s, 0) G i? 


Proof. 


[s, 0) G 6m525m(bmh up ) {Definition of &m&2&m(bmh up ) (Lemma L.B.4.5)} 

/ 

s : State, ss : P State± 

3 ss 0 • (s, ssq) G 5 A 1 ^ ss 0 A ss 0 C ss A 1 ^ ss 


= M) e 


V 


(s, 0) G B 


{Property of sets} 


/ 3 ssq • (s, ssq ) g5A±^ssoAssqC0A±^0\ 


V 


V M) e 5 

= (s, 0) G B 


{Predicate calculus and one-point rule} 


□ 


Lemma L.B.4.3 (s, {_!_}) G brnb2bm(bmh up ) = (s, 0) G B 
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Proof. 


(s, {_L}) G bmb2bm(bmh up ) {Definition of bmb2bm(hmh up ) (Lemma L.B.4.5)} 

/ 

s : State, ss : P State± 

3 SSq • (s, ss 0 ) e B A ± ^ ss 0 A ss 0 C ss A ± ^ ss 


= (a, {_L}) e 


V 


(s,0) e B 

{Property of sets} 

3 sso • (s, sso ) G B A 1 ^ sso A sso C {_L} A ± ^ {_L} ^ 

= I V 

(s, 0) G B 

{Property of sets and predicate calculus} 

= (s, 0) G B 




□ 


Theorem T.B.4.1 Provided B is BMH 0 ,i, 2 , 3 -healthy, 
bmh up o bmb2bm(B ) = bmb2bm(B) 


Proof. 

bmh up o bmb2bm(B) 

= bmh up o bmb2bm(hmh 013 2 (B)) 
= bmb2bm(bmh 0 13 2 (B)) 

= bmb2bm( y B) 


{Assumption: B is BMHo.i, 2 , 3 -healthy} 

{Theorem IT. 3.6. 11} 
{Assumption: B is BMH 0 ,i, 2 , 3 -liealthy} 


□ 


Lemma L.B.4.4 


bmb2bm(bmho t i t 3,2(B)) 
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s : State, ss : P State± 

((s, 0) G B A 0, {_L}) G B) A _L ^ ss 
V 

' /(«,{!}) i BA M)£B \ ’ 

A 

y 3 ssq • ^ (s, ss 0 ) G B A ss 0 C ss A _L ^ ss 0 A L ^ ss j y 


Proof. 


bmb2bm(hmh 01t3 ^(B)) {Definition of bmb2bm} 

= {s : State, ss : P State± | ((s, ss) G bmh 0 ,i,3,2(5) A ss)} 

{Definition of bmh 0 ,1,3,2} 

f s : State, ss : P State± 

( s : State, ss : P State _l 

((s, 0) G 5 A (s, {!}) G B) 


= < 


(s, ss) G < 


V 


A L ^ ss 


M-L})*BA( S ,0)S*fl \ 

A 

^ 3 ss 0 • ^ (s, sso) G 5 A sso C ss A 1 ^ sso A 1 ^ ss j y J 

{Property of sets} 

\ 

\ 


s : State, ss : P State± 

/ ((s, 0) G 5 A (s, {-L}) G 5) 
j V 

= < 1 / (s,{1-})£ba( s 3)£b 

A 

y ^ 3 sso • ^ (s, ssg) G B A ssq C ss A _L ^ sso A _L ^ ss j J J 
A ± ^ ss 

{Predicate calculus} 

f s : State, ss : P State± 

((s, 0) G B A (s, {_L}) G B) A 1 ^ ss 
V 

= < 1 / ( s ,{-L})s*baM)s*b \ 

A 

^ 3 ssq • ^ (s, ssq) G 5 A ssq C ss A 1 ^ ssq A 1 ^ ss j y J 
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□ 


B.4.2 bm2bmb 

Theorem T.3.6.2 

bmho. 1 , 3,2 ° bm2bmb(bmh up (B)) = bm2bmb(bmh up (B)) 


Proof. 


{Definition of bmho. 13 , 2 } 


bmho,i, 3,2 0 bm2bmb(hmh up (B)) 
s : State, ss : P State± 

((s,0) G bm2bmb(bmh up (B)) A (s, {_!_}) G bm2bmb(bmh up (B ))) 


= 


V 


^ (s, {_!_}) f bm2bmb(bmh up (B )) A (s, 0) ^ bm2brnb(bmh up (B )) ^ 


V 


A 

. (s, ss 0 ) G bm.2bmb(bmh up (B )) 
3 ss 0 • | 

A ssq C ss A _L ^ ssq A _L ^ ss 


= 


/ 

{Lemma IL.B.4.31 and Lemma IL.B.4.21 } 

s : State , ss : P State± 

((s, 0) G B A (s,0) G B ) 

V 

A 

(s, sso) G 6m2&m&(bmh up (.B)) 

A ss 0 C ss A _L ss 0 A _L ^ ss y y 


\ 


3 ss 0 


V 


{Predicate calculus and definition of bm2bmb(bmh up (B)) (Lemma L.B.4.5)} 

s : State, ss : P State± 

(s, 0) G B 
V 


= < 


3 ss 0 


(s, SSq) G < 


/ f s : State, ss : P State± 

3 sso • (s, sso) G fi A 1 ^ sso A sso C ss A 1 ^ ss 
V 

(s, 0) G B 
\ A sso C ss A _L ^ sso A _L ^ ss 

{Variable renaming and property of sets} 
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= 


= 


= 


= 


3 ss 0 


s : State, ss : P State± 

M) e B 

V 

^ / 3 ssi • (s, ssi) G 5 A _L ^ ssi A ssi C sso A _L ^ ss 0 \ \ 

V 

VM)e5 / 

^ A ss 0 C ss A _L ^ ss 0 A _L ^ ss 

{Predicate calculus} 

s : State, ss : P State± 

M) e B 

V 

3 sso, ssi • (s, ssi) G B A _L ^ ssi A ssi C ss 0 A _L ^ sso 
A ss 0 Q ss A _L ^ ss 0 A _!_ ^ ss 

V 

^ 3 ss 0 • (s, 0) G B A ss 0 C ss A 1 ^ ss 0 A 1 ^ ss j 

(Predicate calculus} 

\ 

s : State, ss : P State± 

(s,0) G B 

V 

(3 ssi • (s, ssi) G B A 1 ^ ssi A ssi C ss A 1 ^ ss) 

V 

((s, 0) G B A 3 sso • sso C ss A _!_ ^ sso A _!_ ^ ss) 

(Predicate calculus: absorption law} 

s : State, ss : P State± 

(s, 0) G B 

V 

(3 ssi • (s, ssi) G B A 1 ^ ssi A ssi C ss A 1 ^ ss) 

(Lemma IL.B.4.51} 


= bm2bmb(bmh up (B)) 


□ 

Theorem T.3.6.3 Provided B is BMHo. 1 , 2 , 3 -healthy, bm2bmb o bmb2bm(B) = B, 
Proof. 


bm2bmb o bmb2bm{B) 


(Assumption: B is BMH0-BMH3-hcalthy} 
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= bm2bmb o 6m626m(bmh 0i i.3 i 2(5)) 

/ 

s : State, ss : P State± 

((s, ss) £ bmb2bm(hmh 013t 2(B)) A L ^ ss) 
V 

(s, 0) £ &m&2&m(bmh 0 ,i i 3 )2 (fi)) 
s : State, ss : P State± 


= 


{Definition of bm2bmb} 

{Lemma IL.B.4.11} 


= 


/ 


(s, ss) £ < 


\ 


s : State, ss : P State± 

((s, 0)6 5 A (s, {_L}) e B A 1 ^ ss) 

V 

/ (s,{P})^£A(s,0)^5 
A 

^ 3 ss 0 • ^ (s, ssq) £ B A ssq Y ss A ± ssq A ± ss 'j y 




ss 


V 


)s, 0) e < 


s : State, ss : P States 
((s, 0) G B A (s, {_L}) £ B A _L (£ ss) 
V 

/ ( S ,{1})^5A( S) 0)^5 


\ 


A 


= < 


^ 3 sso • ^ ( s, ss 0 ) £ B A ss 0 Y ss A ± ^ ss 0 A ± ^ ss 'j 

{Property of sets} 

s : State, ss : P State± 

( ( ((s, 0) £ B A (s, {!}) £ B A 1 ^ ss) \ \ 

V 

/ (s,{Y})tBA(s,V)£B \ 

A 

^ 3 sso • ^ (s, ss 0 ) £ B A ss 0 C ss A _L ^ ss 0 A _L ^ ss j y 
\ A _L ss 


V 


/ 


/ 


V 


\ 


\ 


f ((s, 0) £ B A (s, {_L}) 6 5) A 1 ^ 0 
V 

/ (s, {-L}) ^ 5 A (s,0) ^ 5 
A 

^ 3 ss 0 • ^ (s, ss 0 ) g5Ass o C0A±^ssoA±^ 0^ y 

{Property of sets, predicate calculus and one-point rule} 


7 
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( s : State , ss : P State j_ 

( (M)eBAM±})e B A _L ^ ss) 
V 


= < 


\ 


V 


\ 


A 


^ 3 ss 0 • ( (s, ss 0 ) G B A ss 0 C ss A _L ^ ss 0 A _L ^ ss j J 


V 


I ((^)eBA( Sl {l})efi) \ 
v 

( (s,{L})^BA(s,d})^B\ 


V 


A 


V (s,0)G5 






= < 


f s : State , ss : P State± 

( ((s, 0) G 5 A (s, {_L}) e B A 1 ^ ss) 
V 

I (s,{l})^A(s,0)^ 


{Predicate calculus} 

\ 


A 


^ 3 ss 0 • ( (s, ss 0 ) G B A ss 0 C ss A _L ^ ss 0 A _L ^ ss j J 


V 

V 

((s,0) GBA(s,{l}) G B ) 


/ 


{Predicate calculus: absorption law} 


\ 


[ s : State , ss : P State,± 

((s 1 0)GBA(s,{l})GB) 

V 

= < 1 / (s,U})£ B 

A 

y 3 sso • ^ (s, ssq) G B A ssq C ss A 3 ^ sso A _L ^ ss j ^ J 

{Definition of bmh 0 ,i. 3 , 2 } 

= bmho,1,3, 2 (B) {Assumption: 5 is BMH0-BMH3-healthy} 

= B 


□ 


Theorem T.3.6.4 Provided B is BMH -healthy, bmb2bm o bm2bmb(B) = 5, 
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Proof. 


bmb2bm o bm2bmb(B) {Assumption: B is BMH-healthy} 

= bmb2bm o bm2bmb(hmh upc i osed (B)) {Definition of bmb2bm} 

= {s : State, ss : P State± | ((s, ss) G bm2bmb(bmh upc i osed (B )) A ± ^ ss)} 

{Lemma IL.B.4.51} 

s : State, ss : P State± 


= 


( 

(s, ss) G < 

A 

_L ^ ss 


s : State, ss : P State± 

3 sso • (s, sso) G B A 1 ^ sso A sso C ss A 1 ^ ss 
V 

(s, 0) G B 


\ 


{Property of sets} 


= 


s : 

State, ss : P State± 




( / 3 sso • (s, sso) G B A 1 ^ sso A sso C ss A 1 ^ ss ^ 

\ 



v 




y 




A 




y L ss 

) 

> 


= < 


{Predicate calculus} 

\ 

s : State, ss : P State± 

(3 ss 0 • (s, ss 0 ) G B A 1 ^ ss 0 A ss 0 C ss A 1 ^ ss) 

V 

((s, 0) G B A 1 ^ ss) 

{Instantiation: consider case where ssq = 0} 

s : State, ss : P State± 

| 3 sso • (s, sso) G B A 1 ^ sso A sso C ss A _L ^ ss 

{Definition of bmh updosed } 

= bmhupdosed(5) {Assumption: B is BMH-healthy} 

= B 


□ 
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Lemma L.B.4.5 


bm2bmb(bmh up (B)) 


s : State, ss : P State± 

3 ss 0 • (s, ss 0 ) G B A _!_ ^ ss 0 A ss 0 C ss A _L £ ss 
V 

(5,0) G B 


Proof. 


bm2bmb(bmh up (B)) 

s : State, ss : P State± 

| ((s, ss) G bmh up (B) A _L ^ ss) V (s, 0) G bmh up (5) 


s : State, ss : P State± 

s : State, ss : P States 


{Definition of bm2bmb} 


{Definition of bmh up } 


= < 


(s, ss) G 


V 


(s, 0) G 


3 5S 0 • (s, ss 0 ) G B A 1 ^ ss 0 A ss 0 C ss A 1 ^ 5S 
s : State, ss : P State± 


A i 


= < 


= < 


3 ss 0 • (s, ss 0 ) G B A 1 ^ ss 0 A ss 0 C ss A 1 ^ 5S 

{Property of sets and predicate calculus} 

s : State, ss : P State± 

3 sso • (s, sso) G B A 1 ^ sso A sso C ss A 1 ^ ss 

V 

3 sso • (s, sso) G B A 1 ^ sso A sso C 0 

{Case-analysis on sso and one-point rule} 

s : State, ss : P State± 

3 sso • (s, sso) G B A 1 ^ sso A sso C ss A 1 ^ ss 

V 

(5,0) G B 


□ 


Lemma L.B.4.6 


bm2bmb(bmh up (B)) 
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s : State, ss : P State± 

3 ss 0 • (s, ss 0 ) G B A 1 ^ ss 0 A ss 0 C ss A 1 ^ ss 
V 

(s,0)eB 

Proof. 


bm2bmb(hmh up (B )) {Definition of bm2bmb} 

s : State, ss : P State± 

| ((s, ss) G bmh up (B) A ± ^ ss) V (s, 0) G bmh up (5) 

{Definition of bmh up } 

s : State, ss : P States 

s : State, ss : P State± 

3 ss 0 • (s, ss 0 ) G fi A 1 ^ ss 0 A ss 0 C ss A 1 ^ ss 


= < 


(s, ss) G 


A _L ^ ss 


V 


[s, 0) G 


= < 


= < 


s : State, ss : P State± 

3 ssq • (s, ss 0 ) G B A 1 ^ ss 0 A ss 0 C ss A 1 ^ ss 

{Property of sets and predicate calculus} 

s : State, ss : P State 

3 sso • (s, sso) G B A 1 ^ sso A sso C ss A 1 ^ ss 

V 

3 ss 0 • (s, ss 0 ) G B A 1 ^ ss 0 A ss 0 C 0 

{Case-analysis on ss 0 and one-point rule} 

f s : State, ss : P State 

3 ss 0 • (s, ss 0 ) G B A 1 ^ ss 0 A ss 0 C ss A 1 ^ ss 

V 

(s, 0) G 5 


□ 


B.5 Set Theory 

Lemma L.B.5.1 

3 ss 0 • (s, ss 0 U {-L}) G B A ss 0 C ss A (1 G ss 0 1 G ss) 
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3 ss 0 • (s, ss 0 ) € B A ss 0 C (ss U {_L}) A 1 G ss 0 


Proof. 


= 3 ss 0 


3 sso • (s, sso U {_L}) G B A ssq C ss A (1 G ssq <G> 1 G ss) {Predicate calculus} 

( (s, ssq U { _L}) G B A ss 0 C ss A _L G ss 0 A 1 G ss ^ 

V 

\ (s, ssq U {_L}) G B A ss 0 C ss A _L ss 0 A _L ss ) 

{Predicate calculus and property of sets} 

^ 3 sso • ( s , sso ) G B A sso C (ss U {_L}) A _!_ G sso A _!_ G ss ^ 

V 

\ 3 sso • (s, sso U { _L}) G i? A sso C ss A _L ^ sso A _L ^ ss / 

{Introduce fresh variable t and substitution} 

f 3 ss 0 • (s, ss 0 ) G B A ss 0 C (ss U {_L}) A _L G ss 0 A _L G ss ^ 

V 

\ 3 t, ssq • (s, f) G 5 A t = ssq U {_L} A ssq C ss A _L ^ ssq A _L ^ ss / 


{Property of sets (Lemma L.B.5.2)} 

( 3 sso • (s, sso) G B A sso C (ss U {_L}) A _L G sso A _L G ss ^ 

V 

\ 3 t, ss 0 • (s, t) G B A t \ {_L} = ss 0 A ss 0 C ss A 1 G t A 1 ^ ss / 

{One-point rule and subsitutiton} 

/ 3 ss 0 • (s, ss 0 ) G B A ss 0 C (ss U {_L}) A 1 G ss 0 A 1 G ss ^ 

V 

\ 3 t • (s, t) G -B A (f \ {_L}) CssAlGiAl^ss / 

{Property of sets} 

^ 3 sso • (s, sso) G B A sso C (ss U { _L}) A _!_ G sso A _!_ G ss ^ 

V 

\ 3 t • (s, t) G 5 A t C (ss U { _L}) A±GtA±^ss / 

{Rename variables} 

f 3 ss 0 • (s, ss 0 ) G B A ss 0 C (ss U { _L}) A 1 G ss 0 A 1 G ss ^ 

V 

\ 3 sso • (s, sso) G B A sso C (ss U { _L}) A _L G sso A _L ^ ss / 

{Predicate calculus} 
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= 3 ss 0 • ((s, ss 0 ) 6 B A sso C (ss U {_L}) Ale ss 0 ) A (_L G ss V _L ^ ss) 

{Propositional calculus} 

= 3 ss 0 • ((s, ss 0 ) G B A ss 0 C (ss U {_L}) A _L G ss 0 ) 


□ 


Lemma L.B.5.2 (A — B U {x} A x ^ 5) (d. \ {x} = B A x E A) 


Proof. 


A = B U {x} A x f: B {Set equality} 

= (\/y»yEA^yE(BU {x})) A x ^ B {Propositional calculus} 

= (Wy»(yeA^ye(BU {a;})) A(j/G(BU { x })) 4 )/ G i) A i ^ B 

{Property of sets} 

(Vy(yeA=>(yeBVye {x})) A ({y G B V y G {x}) => y G H)) 

Ax B 

{Propositional calculus} 

\ 


/ y # / ((yeAAy<£ {x}) => y G B) 

V * \ A {y G 5 =» y G H) A (y G {x} =► y G A) 
\ A x B 


/ 


= Vy 


{Lemma L.B.5.4 and propositional calculus} 
[fy^AAyi {x}) => y G B) 

A (y e B => y e A) A (y <E {x} => y <E A) A (y e B y <£ {x}) 

{Propositional calculus} 

= ( V y • (fy E A A y f: {x}) «(i/G B )) A (y G {x} => y G H) ) 

{Property of sets} 

= (d. \ {x} = B A {x} C A) {Lemma L.B.5.3 and propositional calculus} 

— (A \ {x} = B A x G A) 


□ 


Lemma L.B.5.3 {x} C A o x G A 


Proof. 


{x} C A 

= Vyye{x}=> ye A 


{Definition of subset inclusion} 
{Propositional calculus} 
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= V y • (y e {x} A y <£ A) 

— -i 3y • y = x A y ^ A 

— -> (x ^ A) 

= x e A 


{Propositional calculus} 
{One-point rule} 
{Propositional calculus} 


□ 


Lemma L.B.5.4 x<£AAA(\/y»yeA=>yf: {x}) 
Proof. 


x A 

= -i (x e A) 

= ^(3yy = xAyeA) 

= (3 y • y e {x} A y e A) 

= Vy • y E A=> y <£ {x} 


{Propositional calculus} 
{Introduce fresh variable} 
{Property of sets} 
{Propositional cauclus} 


□ 


Lemma L.B.5.5 {A — {BO {a;}) Ax<eB)aa {A = BAxeB) 
Proof. (Implication) 


A = B U {a;} A x G B {Property of sets} 

= {A C {B U {a;}) A (B U {a;}) C A A x G B) {Lemma IL.B.5.31} 

= {A C {B U {a;}) A {B U {a;}) C A A {a;} C B) {Property of sets} 

= {A C {B U {a;}) A B C A A {a;} C A A {a;} C B) {Property of sets} 

= {A C {B U {a;}) A B C A A {a;} C A A ({a;} OB — B )) 

{Propositional calculus} 


= {A C {B U {a;}) A B C A A {a;} C A A ({x} U B) C B) A B C ({x} U B) 

{Transitivity of subset inclusion and propositional calculus} 


/ (dC(BU {x}) A5cylA{x}cyl \ 

= A 

^ ({x} OB) CBAACBABC ({ x } U B )) / 
=>BCAAACBA ({ x } U B) C B A B C ({ x } U 5) 
= (5 = dA { x } U B) 

= (B = A A x G B) 


{Propositional calculus} 


{Property of sets} 
{Lemma IL.B.5.31} 
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□ 


Proof. (Reverse implication) 


{Lemma IL.B.5.31} 
{Property of sets} 


(B = A A x e B) 

{B = A A {x} C B) 

= {A C B A B C A A {x} C B) 

{Transitivity of subset inclusion and propositional calculus} 

= (A CBABCAA {x} CBA {x} C A) {Property of sets} 

= (A C B A B C A A {x} C B A {x} C A A (B U {x}) C A A (A U {x}) C B 

{Property of sets} 

/ (A CBABCAA {x} CBA ({x} U B = B) ^ 

= A 

V {x} C A A (B U {x}) C A A (A U {4) C B 

{Property of sets and weaken predicate} 

( (A CBABCAA {x}CBABC ({x} UB)\ 

=>- A 

V {x} C A A (BU{i}) c A A (Au{x}) c B 

{Transitivity of subset inclusion and propositional calculus} 

( (A CBABCAA {x}CBABC ({x} US) \ 

=>■ A {Property of sets} 

\ A C ({x} U B) A {x} C A A (BO {x}) C A 

= (A = B A B C ({a;} U B) A {x} CBA {a;} C A A (B U {a;}) = A 

{Propositional calculus} 

=>- ({x} CBA(BU {x}) = A) {Lemma IL.B.5.31} 

= (( B U {x}) = A A x G B) 


□ 


Lemma L.B.5.6 

((yf U {x}) C (BU {x}) Ax^AAx^B)aa(ACBAx^AAx^B) 


Proof. 

(A U {x}) C (BU {x}) Ax^AAx^B {Definition of subset inclusion} 

— \/y»yC(AU {x}) 4 1 / C (BU {x}) Ax<fAAx<fB {Property of sets} 
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= Wy»(yeA\/ ye {a;}) =>■ (y G B V y G {a;}) Ax^AAx^B 

{Propositional calculus} 

= Vj/»j/64^(j/GBV|/e {a;}) Ax<£AAx<£B {Lemma IL.B.5.41} 

( VyyeA=>(yeB\/ye {a;}) \ 


A 


VyyeA=>y(£{x} 


A 


{Propositional calculus} 


\VyyeB=>y(£{x} ) 

y e A^, (y e B Ay £{x}) \ 


= Wy 


A 


{Propositional calculus} 


7 


y E B^ y (£{x} 

= V y • (y E A => y e B) A ((y e AV y e B) => (y <£ {a;})) 

{Propositional calculus and definition of subset inclusion} 

= A C B AV y ((y E A V y e B) (y <£ {a:})) 

{Property of sets and Lemma L.B.5.4|} ~ 

= ACBAx^(AUB) {Propositional calculus and property of sets} 

=ACBAx^AAx^B 


□ 










Appendix C 

Angelic Designs (A) 


C.l Healthiness Conditions 


C.1.1 AO 


Definition 87 AO(.P) = P A ((ok A -> Pf) => (ok' =>• c 

Theorem T.4.2.1 AO o AO (P) = AO (P) 

Proof. 


AO o AO(P) 

= A0(-> P f h P* A ac' ± 0) 

= (-/ 5/ hP i AacV0A ac' ^ 0 ) 
= (^P f hP t A ac' ± 0) 

= AO (P) 


Theorem T.4.2.2 (P ^ Q) ^ (AO (P) O AO (Q)) 
Proof. 

AO (Q) 

= Q A ((ok A Qf) (ok' =$■ ac' j - 0)) 

{Assumption: 

APA ((ok A -i pf) =>- (ofc 7 =>• ac 7 7 ^ 0)) 

= AO(P) 


o' ^ 0 )) 

{Theorem IT. 4.2. 31} 
{Theorem IT. 4.2. 31} 
{Propositional calculus} 
{Definition of AO} 

□ 

{Definition of AO} 

[Q => P] AA [-i P => Q]} 

{Definition of AO} 
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□ 


Theorem T.4.2.3 If P is a design so is AO(P). 
AO(P) = (-. P f h P t A ac' ± 0) 


Proof. 

AO(P) {Definition of design and AO} 

= (-. P f h P*) A ((ok A -i pf) =>• (oA' => ac' ± 0)) 

{Definition of design and propositional calculus} 

= (ok A -i P^) =>■ (P t A oA' A (oA' =>■ ac' 7 ^ 0)) {Propositional calculus} 

= (ok A -i pf) =>• (P* A oA' A ac' 7 ^ 0) {Definition of design} 

= (-. Pf h P t A ac' 7 ^ 0) 


□ 


Theorem T.4.2.4 Provided P and Q are AO-healthy, 
AO(P A Q) = P A Q 


Proof. 


P A Q {Assumption: P and Q are AO-healthy} 

= A0(P) A A0( Q) {Definition of AO} 

(PA ((ok A^Pf)=> (ok' => ac ' 7^ 0))) \ 

= A {Propositional calculus} 

\ (Q A ((ok A -i Qf) =4* (oA' =>■ ac' 7 ^ 0))) y 

= (P A Q) A (((ok A —1 pf) V (oA A * £^)) =>■ (oA' ac' 7 ^ 0)) 

{Propositional calculus} 

— (P A Q) A ((ok A -> (Pf A Qf)) => ( ok ' =>• ac' 7 ^ 0)) {Definition of AO} 

= A0(P A Q) 


□ 
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Theorem T.4.2.5 Provided P and Q are AO-healthy designs, 
AO (P V Q) = P V Q 


Proof. 


TV Q 


{Assumption: P and Q are AO-healthy} 


= AO(P) V AO(<5) 

= (-. P f b P l A ac' ± 0) V (-1 Q f b Q* A ac' ± 0) 

= (“i Pf A -1 Qf b ( P' A ac 7 ^ 0) V (Q l A ac' 7 ^ 0)) 
= (-. ( P f V Q f ) b (P 4 V Q 4 ) A ac' ± 0) 

= (-i (P V Q)f b (P V Q ) 4 A ah 7 ^ 0) 

= AO(P V Q) 


{Definition of AO} 
{Disjunction of designs} 
{Propositional calculus} 
{Property of substitution} 
{Definition of AO} 


□ 


Theorem T.C.1.1 A0(P A Q) — A0(P) A A0(Q) 

Proof. 


A0(P A Q) {Definition of AO} 

= (P A Q) A ((ok An(PA Q) f ) => (ok' => ac' 7 ^ 0)) {Property of substitution} 
= (P A Q) A ( ( o/c A -i (P^ A (oA;' =>• ac' 7 ^ 0)) {Predicate calculus} 

= (P A <5) A ((ok A (-■ pf V -i (/)) =>• (oA;' =>■ ac' 7 ^ 0)) {Predicate calculus} 

— (P A Q) A (((ok A “i pf) V (ok A —> Qf)) =>- (oA;' =>■ ac' 7 ^ 0)) 

{Predicate calculus} 


/PA ((oA; A -1 P^) =>• (ok' => ac' ^ 0)) \ 
A 

\ Q A ((ok A Qf) =>• (oP =>• ac' 7^ 0)) / 


{Definition of AO} 


= A0(P) A A0(<5) 


□ 


Theorem T.C.1.2 AO o HI o H2(P) = (-1 pf b P 4 A ac' 7 ^ 0) 
Proof. 


AO o HI o H2(P) 


{Definition of design} 



308 


APPENDIX C. ANGELIC DESIGNS (A) 


A0(-i 

P f b 

pi) 








{Definition of AO} 

(-. P f 

b P*) 

A ((ok A 


P f 

- P' 

)/) => (ok' => 

ac' 7 ^ 0 )) 












{Definition of design} 




( (ok 

A - 

-i ((oA 

A 

P f ) 

=> (P* A 

oA')/) \ 


(-. P f 

b P*) 

A 

=> 







{Substitution} 




V (°A' 


ac' 7 ^ 

0 ) 








( (ok 

A - 

-i ((oA 

A -1 

P f ) 

=► (P 4 A 

false))) > 


(-> P f 

b P*) 

A 

=> 











K (oA' 


ac' 7 ^ 

0 ) 



) 



{Predicate calculus} 

= (-1 P* b P') A ((oA A -i pf) =>■ (oA' =>- ac ^ 0)) {Definition of design} 

= ((oA A -i pf) =>■ (P 4 A oA')) A ((oA A P J ) =► (oA' => ac' ^ 0)) 

{Predicate calculus} 

= ((ok A -i P^) =>■ (P 4 A oA' A (oA' => ac' 7 ^ 0)) {Predicate calculus} 

= ((ok A -i P f ) =>- (P* A oA' A ac' 7 ^ 0) {Definition of design} 

= (-. P / b P* A ac' ^ 0) 


□ 

Theorem T.C.1.3 HI o H 2 o A0(P) = AO o HI o H 2 (P) 

Proof. 

HI o H2 o A0(P) {Definition of design} 

= (-. A0(P) / b A0(P)') {Lemmas ILXH aI and lL.C.1.41} 

= (nP / bP t A ((ok A -i pf) ac' ± 0)) 

{Definition of design and predicate calculus} 

= (-. P f b P* A ac' ± 0) {Theorem IT.C.1.21} 

= AO o HI o H2(P) 


□ 


Lemma L.C.1.1 Provided ok' not free in e, A0(P)[e/s] = A0(P[e/s]). 


Proof. 


AO (P)[e/s\ 


{Definition of AO} 
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— (PA (ok A -i pf) => (ok' => ac' 7 ^ 0)) [e/s] {Property of substitution} 

= (P[e/s\ A (ok A -■ pf[e/s]) =>• (ok' =>- ac' 7 ^ 0)) 

{Property of substitution: ofc' not free in e} 

= (P[e/s\ A (o/c A -■ P[e/sY) =>■ (ok 1 => ac' 7 ^ 0)) {Definition of AO} 

= A0(P[e/s]) 


□ 


Lemma L.C.1.2 A0(P)° = P° A ((ok A -1 Pf) =>- (0 ac' 7 ^ 0)) 


Proof. 

A0(P)° 

= (P A ((ofc A -■ P^) =>• (ofc' =>■ ac' 7 ^ 0 )))° 
= P° A ((ok A -nP f )=>( 0 => ac' ± 0)) 


Lemma L.C.1.3 AO(P/ = P^ 


Proof. 

AO (P) / 

= pf A ((ok A -■ pf) =>• (false ^ ac' 7 ^ 0)) 
= P f 


{Definition of AO} 
{Substitution} 


@ 


{Lemma IL.C.1.21} 
{Predicate calculus} 


□ 


Lemma L.C.1.4 A0(P) i = P* A ((ofc A -> P^) ac' 7 ^ 0) 


Proof. 

A0(Py {Lemma OUl 

= P t A ((ok A -1 Pf) =>- (true ac' 7 ^ 0)) {Predicate calculus} 

= P' A ((ok A -1 P^) =>• ac' ^ 0) 


□ 
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C.1.2 A1 

Theorem T.4.2.6 A1 o A1(P 0 b Pi) = A1(P 0 b P x ) 


Proof. 

A1 o A1(P 0 b Pi) {Definition of Al} 

= A1 o (-, PBMHfn P 0 ) b PBMH(Pi)) {Definition of Al} 

= (-. (PBMH(n PBMH(-i P 0 ))) b PBMH o PBMH(Pi)) 

{Propositional calcnlns} 

= (-. (PBMH o PBMH(-i P 0 )) b PBMH o PBMH(Pi)) {Theorem IT.R2.1fr 
= (-1 (PBMH(n P 0 )) b PBMH(Pi)) {Definition of Al} 

= Al(PobPi) 


n 


Theorem T.4.2.7 (P □ Q) =*► A1(P) □ A1(Q) 


Proof. 

A1(Q) {Definition of design} 

= Al(-< ^ <?*) {Definition of design and propositional calculus} 

= Al((-< ok V Qf) V ( Q 4 A ok!)) {Assumption: [Q =>• P] holds} 

= Al((-< ok V ( Q f A ( Q f => P f ))) V (Q t A (Q 4 =► P 4 ) A ok')) 

{Predicate calculus and definition of design} 

= Al(-< (Qf A pf) b Q 1 A P 1 ) {Definition of Al} 

= (-. PBMH(<5 / A Pf) b PBMH(<5 i A P 4 )) {Definition of PBMH} 

= (-. PBMH(Q / A Pf) b PBMH(<5 4 A P 4 )) 

{Definition of sequential composition} 

= (-i 3 ac 0 • Qf[aco/ad] A pf[ac 0 /ad] A ac 0 C ac' b (Q t A P 4 ) ; ac C ac 4 ) 

{Predicate calculus} 

/ Vac 0 • -i Qf[ac 0 /ad] V -< P^[ac 0 /ac'] V -> (ac 0 C ac') \ 

= b 

\ (Q l A P 4 ) ; ac C ac' / 


{Predicate calculus} 
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( (“■ Q f [aco/ac'] V -> (ac 0 C ac')) \ 


V CLCq 


h 


V 




\ (-1 P^[aco/ac'] V -> (aco C ac')) ) 


{Weaken precondition} 


/ 


□ 


{Weaken precondition} 


/ 


\ (<5* A P 4 ) ; ac C ac' 

/ V ac 0 • (-1 Qf[aco/ad\ V -> (ac 0 C ac')) \ 

V 

V aco • (“i P-^faco/ac'] V -> (aco C ac')) 
h 

\ (Q f A P 4 ) ; ac C ac' 

□ (V ac 0 • (-i P^[ac 0 /ac'] V -> (ac 0 C ac')) h (<5 4 A P 4 ) ; ac C ac') 

{Predicate calculus} 

= (-i 3 ac 0 • P^[ac 0 /ac'] A ac 0 C ac' h (Q 4 A P 4 ) ; ac C ac') 

{Definition of sequential composition} 

= (- (P f ; ac C ac') h (Q 4 A P 4 ) ; ac C ac') {Strengthen postcondition} 

□ (-i (pf ; ac C ac') h P 4 ; ac C ac') 

= (-. PBMH(P / ) h PBMH(P 4 )) 

= Al(-< Pf h P 4 ) 

= A1(P) 


{Definition of PBMH} 
{Definition of Al} 
{Definition of designs} 


□ 


C.l.3 A 

Theorem T.4.2.8 Provided P 4 satisfies PBMH, AO o A1(P) = Al o AO(P) 


Proof. 


{Definition of design} 
{Definition of Al} 
{Theorem IT. 4.2. 31} 


AO o A1(P) 

= AO o Al(-i P f h P 4 ) 

= A0(- PBMEL(pf) h PBMH (P 4 )) 

= (-. PBMH (P f ) h PBMH (P 4 ) A ac' ^ 0) 

{ac' 7 ^ 0 satisfies PBMH (Lemma L.E.4.4)} 

= (-. PBMH(P / ) h PBMH(P 4 ) A PBMH( ac' ± 0)) 


{Closure of PBMH w.r.t. conjunction (Theorem T.E.3.1)} 
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= (-. PBMH(F / ) h PBMH(PBMH(P t ) A PBMH(ac' + 0))) 


{ac' 7 ^ 0 satisfies PBMH (Lemma L.E.4.4)} 


= (-. PBMH(P / ) h PBMH(PBMH(P < ) A ac' ± 0)) 

{Assumption: P l satisfies PBMH} 


= (-. PBMH(P / ) h PBMH(P‘ A ac' ± 0)) 
= Al(-i P f h P t A ac' ± 0) 

= A1 o AO(-i P f h P l ) 

= A1 o AO(P) 


{Definition of Al} 
{Definition of AO} 
{Definition of design} 


□ 


Theorem T.4.2.9 A o A(P) = A(P) 
Proof. 


A o A(P) {Definition of A twice} 

= AO o Al o AO o A1(P) 

{Theorem T.4.2.8 and A1(P) ensures P t satisfies PBMH} 
= AO o AO o Al o A1(P) 


{AO-idempotent (Theorem T.4.2.1) and Al-idempotent (Theorem T.4.2.6)} 
= AO o A1(P) {Definition of A} 

— A(P) 


O 


Theorem T.4.2.10 HI o H2 o A (P) = A o HI o H2(P) 

Proof. 


HI o H 2 o A(P) 

= HI o H2 o AO o A1(P) 

= AO o HI o H2 o A1(P) 

= AO o HI o H2 o PBMH(P) 
= AO o HI o PBMH o H2(P) 
= AO o PBMH o HI o H2(P) 
= AO o Al o HI o H2(P) 


{Dehnition of A} 
{Theorem IT. C. 1.31} 
{Al is PBMH} 
{Theorem IT. E. 6 . 11} 
{Theorem IT. E. 6 . 21} 
{Al is PBMH} 
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□ 


Theorem T.C.l.4 P E Q => A(P) E A(Q) 


Proof. Follows from AO-monotonic (Theorem T.4.2.2) and Al-monotonic (The- 

□ 


orem 


T.4.2.7). 


Lemma L.C.1.5 Provided ok' is not free in e, A(P)[e/s] = A(F[e/s]) 
Proof. 


A(P)[e/s] 

= (AO o PBMH(P))[e/s] 
= AO o (PBMH(P))[e/s] 
= AO o PBMH(P[e/s]) 

= A(P[e/s]) 


{Definition of A} 
{Lemma IL.C.l.ll} 
{Lemma IL.E.5.21} 
{Definition of A} 


□ 

Lemma L.C.1.6 s.x = v A P <3- s.x = v A P[s © {a; i— y v}/s] 

Proof. 

s.x = v A P {Predicate calculus for fresh variable z} 

«3z»s.i = bAz=sA P[zf s] {Relational calculus} 

^■3z*sj=iiAz = s©{i4D}A P[z/ s] {One-point rule} 

-v=> s.x = v A -P[z/s][s© {x i—^ v}/z] {Substitution} 

s.x = v A P[s 0{iH v}/s\ 


□ 

Lemma L.C.1.7 Provided P is an A-healthy design, P = ok => PL 
Proof. 

P* {Assumption: P is an A-healthy design} 

= (A(-< pf h P l )Y {Definition of A} 

= (-. PBMH(P / ) h PBMH(P i ) A ac' ± 0/ {Definition of design} 

= ((ok A - PBMH(P / )) => (PBMH(P') A ac' ± 0 A ok')) f {Substitution} 
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= ((ok A - PBMH(P^)) =► (PBMH(P 4 ) A ac' ^ 0 A false)) 

{Predicate calculus} 

= -i ok\J PBMH(P^) {Lemma IL.E.5.11 } 

= -i okV PBMH(P)^ {Assumption: P is A-healthy} 

— -iokW Pf {Predicate calculus} 

= ok =>■ P J 


□ 


Lemma L.C.1.8 Provided P is an A-healthy design, 
P t = (( ok A -i pf) =>- ( P t A ac' ± 0)) 


Proof. 

P 4 {Assumption: P is an A-healthy design} 

= (A(-< pf h P 4 )) 4 {Definition of A} 

= (-. PBMH(P / ) h PBMH(P 4 ) A ac' ± 0) 4 {Definition of design} 

= {{ok A PBMH(P / )) =► (PBMH(P 4 ) A ac' ± 0 A ok'))' {Substitution} 

= ((ok A - PBMH(P / )) =► (PBMH(P 4 ) A ac' ± 0 A true)) 

{Predicate calculus} 

= {{ok A - PBMH(P / )) =► (PBMH(P 4 ) A ac' ± 0)) {Le mm a OhO} 

= {{ok A PBMH(P) / ) =► (PBMH(P) 4 A ac ± 0)) 

{Assumption: P is A-healthy} 

= {{ok A -i pf) =>• (P 4 A ac' ± 0)) 

□ 

Lemma L.C.1.9 Provided P is an A-healthy design, 

{-i 3 ac' • PBMH (P f ) h PBMH(P 4 ) A ac' ± 0) 


(-. 3 ac' • P f h P 4 ) 


Proof. 

(-. 3 ac • PBMH(P / ) h PBMH(P 4 ) A ac ± 0) 


{Lemma IL.E.5.11} 
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{Predicate calculus} 


= (-. 3 ac' • PBMH(P) / b PBMH(P) 4 A ad ± 0) 

{Assumption: P is A-healthy (and hence PBMH-healthy)} 

= (-. 3 ad • P f b P 4 A ad ± 0) 

{Assumption: P is A-healthy and Lemmas L.C.1.7 and L.C.1.8 } 

/ -i 3 ad • ok =>• Pf ^ 

= b {Predicate calculus} 

\ ((ok A -i Pf) =>■ (P t A ad d 0)) A ac' ^ 0 / 

( -■ (ofc =>- 3 ac' • pf) ^ 

= b 

y (-■ ok V P f V (P 4 A ac' 7 ^ 0)) A ac' 7 ^ 0 / 

ok A -■ 3 ac' • P f 
b 

(-■ ok A ac' 7 ^ 0) V (P-f A ac' 7 ^ 0) V (P 4 A ac' 7 - 0) / 

{Definition of design and predicate calculus} 

/ ^ 3 ac' • P / \ 

b 

^ (-■ ok A ac' 7 ^ 0) V (P'f A (3 ac' • P^) A ac' 7 ^ 0) V (P 4 A ac' 7 - 0) / 

{Definition of design and predicate calculus} 

/ ^ 3 ac' • P / \ 

b 




/ (ofc A -i 3 ad • Pf) 


\ 


A 


/ 


\ ((-1 ok A ad 7 ^ 0) V (P-f A (3 ac' • P-f) A ac' 7 ^ 0) V (P 4 A ac' 7 ^ 0)) / 

{Predicate calculus} 

( -1 3 ad • P f \ 

b 

^ (ok A -i 3 ac' • P-f) A ((-< ok) V (pf) V (P 4 A ac' 7 ^ 0)) / 

{Definition of design and predicate calculus} 

( 3 ad • P f b (ok A P 7 ) => (P 4 A ad ± 0) ) 


{Assumption: P is A-healthy and Lemma L.C.1.8} 


= 3 ad •P f dP t 


□ 
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Theorem T.C.1.5 Provided P is an A-healthy design, 
H3 Cac (P) = (-. 3 ac' • P f b P l ) 


Proof. 


H3x> ac (P) {Definition of H3 for angelic designs} 

= P \ Vac ( true hsG ac') {Assumption: P is an A-healthy design} 

= A(-< pf b P l ) ] Vac (true b s G ac') {Definition of A} 

= (-1 PBMH (P f ) b PBMH(P t ) A ac' ± 0) ; Vac (true b s G ac') 

{Sequential composition for A-designs} 


f - (PBMH (Pf) true) A - ((PBMH(P) A ac' ± 0) ^ true) \ 
b 

\ (PBMH(P) A ac' 7 ^ 0) ] A ( true => s E ac') J 

{Predicate calculus} 

/ (PBMH(fif) true) A - ((PBMH(P) A ac ' ± 0) false) \ 
b 

\ (PBMH(P) A ac' ± 0) s G ac' 

{Lemma IL.F.1.51} 

/ (PBMH(Pf) true) A - ((PBMH(P) false) A ( ac' ± 0 false)) \ 
b 

V (PBMH(P) A ac' ± 0) ^ s G ac' j 

{Definition of ] A and substitution} 

/ - (PBMH(Ff) true) A - ((PBMH(P) false) A (0 ^ 0)) \ 
b 

\ (PBMH(P) A ac' ± 0) ' A s G ac' 

{Predicate calculus} 


f (PBMH(P / ) true) \ 

= b 

V (PBMH(P) A ac' ± 0) ^ s G ac' 

= (-. (PBMH(P / ) true) b PBMH(P‘) A ac' ± 0) 
= (-. 3 ac' • PBMH(P / ) b PBMH(P') A ac' + 0) 


{Lemma IL.F.6.31} 


{Lemma IL.E.4.161 } 
{Lemma IL.C.1.91} 


= (-. 3 ac' • P f b P*) 


□ 
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C.l.4 A2 

Theorem T.4.2.11 A2(P) = P[0/ac'] V (3 y • P[{y}/ac'] A ye ac’) 

Proof. 

A2(P) {Predicate calculus} 

= A2(P A (ad = 0 V ac' 7 ^ 0)) {Predicate calculus} 

= A2((P A ad = 0) V (P A ac' 7 ^ 0)) {Theorem IT.4.2.141 } 

= A2(P A ac' = 0) V A2(P A ad 7 ^ 0) {Lemmas IL.C. 1.171 and II7C. 1.181} 

= P[0/ac'] V (3 z • P[{z}/ac'] A z e ac) 


□ 


Theorem T.4.2.12 A2 o A2(P) = A2(P) 


Proof. 


A2 o A2(P) {Definition of A2 (Theorem T.4.2.11)} 

= A2(P)[0/ac'] V (3 y • A2(P) [{y}/ad] Aye ad) 


{Definition of A2 (Theorem T.4.2.11)} 

( (P[0/ac'] V (3?/• P[{?/}/ac'] A y G ac'))[0/ac'] ^ 

= V 

V (3 V • (P[0/ ac'] V (3 y • P[{y}/ac'} Aye ac'))[{y}/ad] Aye ad) ) 

{Variable renaming} 

/ (P[0/ac'] V (3?/• P[{?/}/ac'] A y G ac'))[0/ac'] ^ 

= V 

\ (3 y • (P[0/ac'] V (3 z • P[{z}/ac'] A z e ac'))[{y} / ad] Aye ad) J 

{Substitution} 

/ (/>[0/ac'] V (3y • P[{i/}/oc'] A y e 0)) N 

= V 

\ (3 y • (P[0/ac'] V (3 z • P[{z}/ac'] A z e {?/})) Aye ad) ) 

{Property of sets and predicate calculus} 

= P[0/ac'] V (3 y • (P[0/ac'] V (3 z • P[{z}/ac'] A z = y)) A y e ac') 

{One-point rule} 

= P[0/ac'] V (3 y • (P[0/ac'] V P[{?/}/ac']) Aye ad) {Predicate calculus} 
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= P[$/ad] V (3 y • P[0/ac'] A ye ad) V (3 y • P[{y}/ad] A y E ad) 

{Predicate calculus: y not free in P} 

= P[ty/ad] V (P[0/ac'] A 3 y • y 6 ad) V (3 y • P[{y}/ad] A ye ad) 

{Predicate calculus: absorption law} 


= P[$/ad] V (3 y • P[{y}/ad] A ye ad) 
= A2(P) 


{Definition of A2 (Theorem T.4.2.11)} 


a 


Theorem T.4.2.13 P C Q => A2(P) □ A2(Q) 


Proof. 


A2(Q) 

= PBMH(<5 {s} = ad) 

= PBMH((F A Q) ] A {s} = ad) 

= PBMH((P u M = O a (Q ; A {>} 

= 3 ac 0 • ((P U M = «A) A (Q {s} . 


{Definition of A2} 
{Assumption: P C Q = [Q =>- P]} 
{Distributivity of ] A } 


= ad)) 

{Definition of PBMH (Lemma L.4.2.1)} 
= ac'))[aco/ad] A aco C ad 


{Substitution} 

= 3 aco • ((P ] A {s} = ad)[aco/ad] A (Q j A {s} = ac')[aco/ad]) A aco C ad 

{Predicate calculus} 


□ 3 ac 0 • (P ; A {s} 


= PBMH(P U { S } 

= A2(P) 


ad)[aco/ad] A aco C ad 

{Definition of PBMH (Lemma |L. 4.2. 3» 

{Definition of A2} 


ac 


□ 


Theorem T.4.2.14 A2 (P V Q) = A2(P) V A2 (Q) 


Proof. 


A2 (P V Q) 

= PBMH((F V Q) ] A {s} = ad}) 

= PBMH((P ; A {s} = ad}) V (Q ; A { S } 


{Definition of A2} 


{Distributivity of , A (Lemma L.F.1.4)} 
= ac’})) {Distributivity of PBMH} 
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= PBMH(P ; A {s} = ac '}) V PBMH(Q {s} = ac'}) {Definition of A2} 
= A2(P) V A2(Q) 


□ 


Theorem T.C.1.6 (A2-idempotent) Provided P is PBMH -healthy, 
A2 o A2(P) = A2(P) 


Proof. 

A2 o A2(P) {Definition of A2 twice} 

= PBMH(PBMH(P ; A {s | {s} = ac'}) {s | {s} = ac'}) 

{P is PBMH-healthy and Lemma |L.C. 1.25 } 

= PBMH(P \ A {s | {s} = ac'}) {Definition of A2} 

= A2 (P) 


□ 


Lemmas 

Lemma L.4.2.3 A2 (P b Q) = (-. A2(^ P) b A2 (Q)) 
Proof. 


A2 o A (P b Q) 

= A2 ((ok A P) => (Q A ok')) 

= A2(— i ok V * P V ( Q A ok')) 

= A2(— i ok) V A2(— i P) V A2 (Q A ok') 

— ok \/ A2(— i P) V (A2(Q) A ok') 

— (ok A -i A2(-< P)) =>■ (A2(<5) A o/c') 
= (-i A2(-< P) b A2(Q)) 


{Definition of design} 
{Predicate calculus} 


{Distributivity of A2 (Theorem T.4.2.14)} 
{Lemmas IL.C.1.151 and IL.C. 1.161 } 
{Predicate calculus} 
{Definition of design} 


□ 


Lemma L.C.l.10 A2(P) = 3 aco • P[{s | {s} = aco}/ac'] A aco C ac' 

Proof. 


A2(P) 


{Definition of A2} 
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= PBMH(P ] A {s} = ad ) {Definition of ] A and substitution} 

= PBMH(P[{s | {s} = ad}/ad}) {Definition of PBMH (Lemma |LX2T] )} 

= 3 ac 0 • P[{s | {s} = ad}/ad][ac 0 /ad] A ac 0 C ad {Property of substitution} 
= 3 aco • P[{s | {s} = aco}/ad] A aco C ad 


□ 


Lemma L.C.1.11 

A2 o A(-. P f h P') 

(-. A2 o PBMH(P / ) h A2(PBMH(P*) A ad ± 0)) 


Proof. 


A2 o A(-< pf h P') {Definition of A} 

= A2(-i PBMH(P / ) h PBMH(f') A ad ± 0) {Definition of design} 

= A2 ((ok A PBMH(P / )) =► (PBMH(P ( ) A ad ± 0 A oh!)) 

{Predicate calculus} 


= A2(-< ok V PBMH(P / ) V (PBMH(P 4 ) A ad ^ 0 A ok')) 


{Distributivity of A2 (Theorem 


|T.4.2.14D } 


= A2(-< ok) V A2 o PBMH(P / ) V A2(PBMH(P‘) A ad ± 0 A ok') 

{Lemmas IL.C.1.151 and IL.C. 1.161 } 


= nol-vA2 o PBMH(P / ) V (A2(PBMH (P*) A ad ± 0) A ok') 

{Predicate calculus} 

= (ok A -■ A2 o PBMH(P / )) =► (A2(PBMH(P‘) A ad ± 0) A ok') 

{Definition of design} 


= (-. A2 o PBMH (P f ) h A2(PBMH(P t ) A ad ± 0)) 


□ 


Lemma L.C.1.12 A2 (false) = false 
Proof. 

{Definition of A2} 
{Property of ] A } 


A2 (false) 

= PBMH (false {s} = ad) 
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= PBMH(/ske) {Property of PBMH} 

= false 


□ 


Lemma L.C.l. 13 A2 (true) = true 
Proof. 

A2 (true) 

= PBMH(frae j A {s} = ac') 

= PBMH(t rue) 

= true 


{Definition of A2} 
{Property of 
{Property of PBMH} 

□ 


Lemma L.C.l. 14 Provided ac 1 is not free in P, 
A2(3 y • y e ac' A P) = 3 y • y e ac' A P 


Proof. 


A2(3 y • y G ac' A P) {Definition of A2} 

= PBMH((3 y • y e ac' A P) ; A {s} = ac') 

{Definition of ] A and substitution: ac' not free in P} 

= PBMH(3 y • y G {s \ { s} = ac '} A P) {Property of sets} 

= PBMH(3 y • {y} = ac' A P) {Definition of PBMH (Lemma L.4.2.1)} 

= 3 aco • (3 y • {y} = ac' A P)[aco/ac / ] A aco C ac' 

{Substitution: ac' not free in P} 

= 3 aco, y • {y} — aco A P A aco C ac' {Predicate calculus} 

= 3 y • {y} C ac' A P {Property of sets} 

= 3y»yeac'AP 


□ 


Properties 

Lemma L.C.l. 15 Provided ac 1 is not free in P, A2 (P A Q) = P A A2 (Q). 
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Proof. 


A2 (P A Q) 

= PBMH((F A Q) \ A {s} = ac') 

= PBMHffP ; A {s} = ac l ) A (Q {s} 


{Distributivity of ] A 
ac')) 


{Definition of A2} 


(Lemma L.F.1.5)} 


{Assumption: ac' not free in P} 


= PBMH(P A (Q ] A {s} 

= P A PBMH(Q {s} : 
= F A A2(Q) 


: ac 7 )) 

{Assumption: ac' not free in P and Lemma L.E.4.8 } 
ac') {Definition of A2} 


□ 


Lemma L.C.1.16 Provided ac' not free in P, A2 (P) = P. 
Proof. 


A2 (P) 

= PBMH(P U { S } 
= PBMH(P) 

= P 


ac') 


{Definition of A2} 
{Assumption: ac 1 not free in P} 


{Assumption: ac' not free in P and Lemma L.E.4.5} 


□ 


Lemma L.C.1.17 A2 (P A ac' ^ 0) = 3 z • P[{z}/ac’] A z G ac’ 
Proof. 


A2 (P A ac' 7 ^ 0) {Definition of A2 (Lemma L.C.1.10)} 

= 3 ac 0 • ((P A ac' ^ 0)[{s | {s} = ac 0 }/ac'] A ac 0 C ac') {Substitution} 

= 3 ac 0 • P[{s | {s} = ac 0 }/ac'] A {s | {s} = ac 0 } ^ 0 A ac 0 C ac') 

{Property of sets} 

= 3 ac 0 • P[{s | {s} = ac 0 }/ac'] A3 z • {z} = ac 0 A ac 0 C ac' 


= 3 ac 0 , z • P[{s | {s} = ac 0 }/ac'] A {z} = ac 0 A ac 0 C ac' 
= 3 z • -P[{s | {s} = {z}}/ac'] A {z} C ac' 

= 3 z • P[{z}/ac'] A z G ac' 


{Predicate calculus} 
{One-point rule} 
{Property of sets} 
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□ 


Lemma L.C.l. 18 A2(P A ac! = 0) = P[0/ac'] 


Proof. 


A2 (P A ac' = 0) {Definition of A2 (Lemma |L.C.1.10P } 

= 3 ac 0 • ((P A ac’ = 0)[{s | {s} = ac 0 }/ac'] A ac 0 C ac') {Substitution} 

= 3 ac 0 • P[{s | {s} = ac 0 }/ ac’] A {s | {s} = ac 0 } = 0 A ac 0 C ac') 

{Property of sets} 

= 3 ac 0 • P[{s | {s} = ac 0 }/ac / ] A -> (3 z • {z} = ac 0 ) A ac 0 C ac' 

{Predicate calculus} 

= 3 ac 0 • P[{s | {s} = aco]/ac'] A (Vz • {z} 7 ^ ac 0 ) A ac 0 C ac' 

{Predicate calculus} 

= 3 ac 0 • P[{s | /a/se}/ac'] A (Vz • {z} 7 ^ ac 0 ) A ac 0 C ac' {Property of sets} 
= 3 aco • P[0/ac'] A (V z • {z} 7 ^ aco) A aco C ac' {Predicate calculus} 

= P[0/ac'] A 3 aco • (V z • {z} 7 ^ aco) A aco C ac' {Predicate calculus} 

= P[0/ ac] 


□ 


Lemma L.C.l. 19 A2(P)[0/ac'] = P[0/ac'] 


Proof. 


A2(P)[0/ac'] {Definition of A2 (Lemma |L.C. 1.10 )} 

= (3 ac 0 • P[{s | {s} = ac 0 }/ac'] A ac 0 C ac')[0/ac'] {Substitution} 

= 3 ac 0 • P[{s | {s} = ac 0 }/ac'] A ac 0 C 0 {Property of sets} 

= 3 ac 0 • P[{s | {s} = ac 0 }/ac'] A ac 0 = 0 {One-point rule} 

= P[{s | {s} = 0}/ac'] {Property of sets} 

= P[ 0 /oc'] 


□ 


Lemma L.C.l.20 Provided ac' is not free in c, 


A2 (P oc> Q) = A2 (P) < c > A2 (Q) 
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Proof. 


{Definition of conditional} 
{Theorem IT. 4.2. 141 } 


A2 (P <c> Q) 

= A2((c A P ) V (“i c A Q)) 

= A2(c A P) V A2(-< c A Q) 

{Assumption: ad is not free in c and Lemma L.C.1.15 [ 

= (c A A2(P)) V (-■ c A A2(Q)) {Definition of conditional} 

= A2 (P) < c> A2 (Q) 


□ 


Lemma L.C.1.21 A2(x G ad) — x G ad 

Proof. 


A2 (x G ad) {Definition of A2 (Theorem |TA2ig} 

= (x G ac'^/ac'] V (3 y • (x G ac / )[{y}/ac / ] Aj/G ac') {Substitution} 

= (i £ 0) V (3 ?/ • i: e {i/} A i/ 6 ad) {Property of sets and predicate calculus} 
= 3y»x = yAy£ ad {One-point rule} 

= x G ad 


□ 


Lemma L.C.1.22 A2(P)° = A2 (P°) 
Proof. 


A2(P)° 

= (PBMH(P U { S } = ad))° w 
= PBMH((F ^ { S } = ad)°J 
= PBMH((P[{s | {s} = ad}/ad])°J 

= PBMH((P[{s j {s} = ad}/ad])[s © {wait H > w}, ok/o, s]) 
= PBMH(P[s © {wait w} : ok/o, s] [{s | {s} = ad}/ad}) 

= PBMH(P°[{s | {s} = ad}/ad]) 

= PBMH(P" ^ { S } = ad}) 

= A2 (P°) 


{Definition of A2} 
{Lemma IL.E.5.11} 
{Definition of ] A } 
{Definition of ° } 
{Substitution} 
{Definition of ° } 
{Definition of ;^} 
{Definition of A2} 


□ 
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Lemma L.C.l.23 Provided ac' is not free in o, A2 (P)[o/ok] = A2 (P[o/ok}). 


Proof. 


A2 (P)[o/ok\ {Definition of A2 (Theorem T.4.2.11)} 

= (Pfb/ac'} V (3 y • P[{y}/ac'} A ye ac'))[o/ok ] {Substitution} 

= (P[o /o/c][0/ ac'] V (3 y • P[o / ok}[{y} / ac'} A y e ac')) 


{Definition of A2 (Theorem T.4.2.11)} 


= A2 (P[o/ok]) 


□ 


Lemma L.C.l.24 Provided that x is not ac', A2(3x • P) = 3 x • A2 (P) 


Proof. 


A2(3x • P) {Definition of A2 (Theorem T.4.2.11)} 

= (3x • P)[$/ac] V (3 y • (3 x • P)[{y}/ac'} A y G ac') 

{Assumption: x is not ac' and substitution} 

= (3x • Pfb/ac'}) V (3y • (3 x • P[{y}/ac'\) A ye ac') {Predicate calculus} 

— (3x • Pfb/ac']) V (3 a; • 3 y • P[{y}/ac'} Aye ac') {Predicate calculus} 

= 3x • (P[0/ac'j V (3 y • P[{y}/ac'} Aye ac')) 


{Definition of A2 (Theorem T.4.2.11)} 


= 3z • A2 (P) 


Q 


Properties with respect to PBMH 
Theorem T.C.1.7 A2 o PBMH(P) = A2 (P) 


Proof. 


A2 o PBMH(P) 

l PBMH(P) [0/ ac'} 


{Definition of A2 (Theorem T.4.2.11)} 

\ 


V 


\ (3z • PBMH(P) \{z}/ac'} A z e ac') 


{Definition of PBMH (Lemma L.4.2.1)} 
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( (3 ac 0 • P[ac 0 /ac '] A ac 0 C ac')[0/ac'] ^ 

V 

\ (3 z • (3 aco • P[aco/ac '] A aco C ac')[{z} / ac'] Az 6 ac') ) 

{Substitution} 

( (3 aco • P[aco/ac '] A aco C 0) 

V 

\ (3 z • (3 ac 0 • P[ac 0 /ac'] A ac 0 C {z}) A z G ac') ) 

{Property of sets and one-point rule} 

/ (P[0/ac']) \ 




V 

y (3z • (P[0/ac'] V P[{z}/ac']) A z E ac') ) 

/ (P[ 0 / ac']) \ 

V 

(3 2 • P[0/ac'] Az 6 ac') 

V 

\ (3z • P[{z}/ac'] A z E ac') ) 

/ (P[0/ac']) \ 

V 

(P[0/ac'] A ac' 7 ^ 0) 

V 

\ (3z • P[{z}/ac'] A z E ac') ) 

P[0/ac'] V (3 £ • P[{z}/ac'} A z E ac') 


{Predicate calculus} 


{Predicate calculus and property of sets} 


{Predicate calculus: absorption law} 


{Definition of A2 (Theorem T.4.2.11)} 


= A2(P) 


:.p 


Lemma L.C.1.25 Provided P is PBMH-/jeal%, 
PBMH(P ; A {s | {s} = ac'}) ; A {s | {s} = ac'} 

P I A ( s I ( s l = ac ' ) 
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Proof. 

PBMHfP ; A {s I {»} = ac'}) ; A {s | {»} = ac'} 


{Assumption: P is PBMH-healthy and Lemma L.E.7.1 } 
/ (3 aci, ac 0 • P[ac 0 /ac'] A ac 0 C {s | {s} = ac{\ A ac\ C ac') \ 


iA 




\ i s I {4 = ac '} 

{Definition of ] A and substitution} 

= ^ 3 aci, aco • P[aco/ac'] A aco C {s | {s} = aci} A ac\ C {s | {s} = ac'} j 

{Lemma IL.1.0. 101} 


\ 






{Lemma. IL. 1.0. Ill} 


{Property of sets} 


/ 3 oci, ac 0 • P[ac 0 /ac'] 

= A aco C oci A aco C {s | aci C {s}} 

\ A aci C {s | {s} = ac'} 

( 3 aci, aco • P[aco/ac'] \ 

= A aco C ac\ A ac\ C {s | aco C {s}} 

\ A aci C {s | {s} = ac'} 

= ^ 3 aci, aco • P[aco/ac'] A aco C oci A oci C {s | aco C {s} A {s} = ac'} j 

{Transitivity of subset inclusion} 

= ^ 3 ac 0 • P[ac 0 /ac'] A ac 0 C {s | ac 0 C {s} A {s} = ac'} j 

{Predicate calculus} 

= ^ 3 ac 0 • P[ac 0 /ac'] A ac 0 C {s | ac 0 C ac' A {s} = ac’} j {Property of sets} 

= ^ 3 aco • P[aco/ac'] A aco C {s | aco C ac'} A aco C {s | {s} = ac'} j 

{Lemma IL.1.0.121} 

= ^ 3 aco • .P[aco/ac'] A (aco = 0 V aco C ac') A aco C {s | {s} = ac'} j 

{Predicate calculus} 

/ (3 ac 0 • -P[ac 0 /ac'] A ac 0 = 0 A ac 0 C {s | {s} = ac'}) \ 

= V 

\ (3 aco • P[aco/ac'] A aco C ac' A aco C {s | {s} = ac'}) J 


{One-point rule} 
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f P[0/ ac'] \ 

= V 

\ (3 aco • P[aco/ac'} A aco C ac' A aco C (s | (s} = ac'}) ) 

{P[0/ac'] is an instance of existential quantification} 

= 3 aco • .Pfaco/ac'] A aco C ac A aco C (s | (s} = ac'} 

(Predicate calculus and Lemma [L. 1.0. 101} 


= 3 aco • P[aco/ac'] A aco C (s | {s} = ac'} (Definition of and substitution} 

= (3 aco • P[aco/ac'] A aco C ac') ] A (s | (s} = ac'} 

(Definition of PBMH (Lemma L.4.2.1)} 


= PBMH(P) \ A {s | {s} = ac'} (Assumption: P is PBMH-healthy} 

= p U i s I {*'} = ac> } 


□ 


Lemma L.C.1.26 PBMH o A2 (P) = A2(P) 

Proof. 


PBMH o A2 (P) 

= PBMH o PBMH(P {s} 


= PBMH(P {s} = ac) 
= A2(P) 


ac) 


(Definition of A2} 


(PBMH-idempotent (Theorem T.E.2.1)} 


(Definition of A2} 


□ 


Properties with respect to \ A 

Theorem T.C.1.8 Provided P and Q are A2 -healthy, A2 (P ; A Q) = P ; A Q 
Proof. 


A2 (P ;; A Q) 

= A2(A2 (P) ; a A2 (Q)) 
= A2 (P) ; a A2 (Q) 

= P\aQ 


(Assumption: P and Q are A2-healthy} 

(Lemma IL.C.1.281 } 
(Assumption: P and Q are A2-healthy} 


□ 
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Lemma L.C.l.27 

A2(P); a A2(Q) 

( P[0/ad] V (3 y P[{y}/ac'} A Q[0 / ad][y / s}) ^ 

V 

V i^y • P[{y}/ac'] A (3 y Q[{y}/ad][y/ s] Aye ad)) ) 


Proof. 


A2 (P) ;, A2(Q) 


{Definition of A2 (Theorem T.4.2.11)} 


/ (P[0/ad] V (B y • P[{y}/ad] A y e ad)) \ 


iA 


\ (Q[0/ad\ V (3 y Q[{y}/ad] Aye ad)) J 


{Lemmas IL.F.l.ll and IL.F.1.41} 
\ 


/ (P[0/ ad) 

V 

( (By • P[{y}/ad] Aye ad) ^ 

iA 

\ \ (Q[0/ad] V (By • Q[{y}/ad } Aye ad)) ) ) 

{Definition of \ A and substitution} 

( (P[0/ad} \ 

V 





Q[0/oc'] 




By P[{y}/ad ] A y e < 


V 



V 



(By • < 5 [{ 2 /}/ac'] Aye ad) > 

J 

/ 


/ ( P[0/ad} 
V 


{Property of sets and substitution} 

\ 


( Q[0/ad}[y/s\ 


By P[{y}/ad] A 


\\ 


V 


/ 


V (3 y Q[{y}/ad)[y/s\ Aye ad) / / 

{Predicate calculus} 

( P[0/ad } V (By • P[{y}/ac'] A <2[0/ac'][2//s]) ^ 

V 

V (3 y • p[{y}/ad] A (By • Q[{y} / ad][y / s] Aye ad)) ) 
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□ 


Lemma L.C.1.28 A2(A2(P) ; A A2(Q)) = A2(P) ; A A2 (Q) 


Proof. 


A2(A2 (P) - a A2 (Q)) 

Pfb/ac'} V (3y P[{y}/ac'} A Q[® / ac'][y / s]) ^ 

= A2 | V 

(3 y • P[{y}/ac'] A (3 y Q[{y}/ac'} [y/s] Aye ac')) J 


{Lemma IL.C. 1 .271 } 


{Definition of A2 (Theorem T.4.2.11)} 
/ / Pfb/ac'] V (3 y • P[{y}/ac'} A Q[® / ac'][y / s]) \ 


V 


[ 0 / ac'] 


\ (3 y • P[{y}/ac'} A (3 y Q[{y}/ac'} [y/s] Aye ac')) J 


V 



( 

( P[0/ ac'] V (3y • P[{y}/ad] A Q[® / ad][y / s]) 

\ 


3z» 

V 


V 


V (3 y • p[{y}/ad] A (3 y • Q[{y}/oc / ] [?//s] Aye 

ac')) ) 


/ / P[0/ac'] V (3 ?/ • P[{y}/ad] A Qfb/ac'][y/s}) ^ 

V 

(3 y • F[{?/}/ac'] A (3 y • Q[{?/}/ac'] [?//s] Aye 0)) / 
V 


[{z}/ac'] A z e 
{Substitution} 

\ 



/ 

( PfD/ac'] V (3 y • P[{y}/ac'] A Q[$ / ad][y / s]) ^ 

\ 



3 ^ • 

V 

A z e ac' 


V 

V 

V (3 V • P[{ 2 /}/ac'] A (3 7/ • <2[{2/}/ac'] [j//s] Aj/G {z})) ) 

J 

/ 


{Property of sets and predicate calculus} 

( P[0/ad] V (3 ?/ • P[{y}/ac'] A <5[0/ac'][?//s]) \ 

V 

^ / P[0/ac'] V (3 z/ • P[{y}/ac '] A Q[0/ac'][i//s]) \ ^ 

3 z • V A z e ac' 

V \ \ (3 ?/ • P[{y}/ac'] A (3y • Q[{y}/ac'][y/s] A y = z)) J j J 

{One-point rule} 
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( .P[0/ ac'} V (3 y • P[{y}/ac'} A Qfb / ac'}[y / s}) \ 


V 



1 

^ P[0/ac'] V (3 2 / • P[{y}/ac'] A <?[0/ac'][j//s]) ^ 

\ 



32* 

V 

A z E ac' 


V 

1 

V (3 2/ • P[{?/}/ac'] A <5[{z}/ac'][z/s]) ) 


/ 


{Predicate calculus} 

( P[0/ ac'] V (3 y • P[{y} / ac'} A Q[® / ac'][y / s\) ^ 

V 

(3 z • P[0/ac'] A z G ac ') 

= V 

(3z • 3 y • P[{y}/ac'] A Q[®/ac'][y/s\ A z E ac') 

V 

^ (3 2 • 3 y • P[{y}/ac'] A Q[{z} / ac’][z / s] A z6 ac') / 

{Predicate calculus} 

( P[0/ac'] V (3 y • P[{y}/ac'} A Q[Q) / ac'][y / s}) ^ 

V 

(P[0/ ac'] A (3 z • z E ac')) 

= V 

(3 y • P[{y}/ac'} A <2[0/ac'] [y/s] A (3 2 • 2 G ac')) 

V 

\ (3 2 / • P[{?/}/ac'] A (3« • Q[{z}/ac’}[z/s} A 2 G ac')) / 

{Predicate calculus: absorption law} 

/ P[0/ac'] V (3 2 / • P[{y}/ac'} A Q[0/ac'][j//s]) > 

\ (3 y P[{y}/ac’} A (3 2 • <5[{z}/ac'][z/s] AzG ac')) / 

{Lemma IL.C. 1.271 } 

= A2(P) - A A2(Q) 

□ 

Properties with respect to links (p2ac and ac2p) 

Lemma L.C.l.29 p2ac o ac2p o A2(P) = A2(P) A ac' 7 ^ 0 
Proof. 

p2ac o ac2p o A2(P) {Lemma IL .C. 1. 321 } 

= (P[0/ac'] A ac' 7 ^ 0) V (3 7 / • P[{?/}/ac'] A ?/ G ac') {Predicate calculus} 
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= (P[0/ac 7 ] A ad d 0) V (3 y • P[{y}/ac'] A ?/ e ad A ad d 0) 

{Predicate calculus} 

= (P[0/ac 7 ] V (3 y • P[{?/}/ac 7 ] Ai/G ac 7 )) A ac 7 7 ^ 0 {Theorem IT. 4.2. Ill } 

= A2(P) A ac 7 ^ 0 


□ 


Lemma L.C.1.30 p2ac o ac2p o PBMH(P) = p2ac o ac2p(P) 
Proof. 


p2ac o ac2j> o PBMH(P) {Lemma IL. 5.3. 11} 

= 3 aco, y • PBMH(P)[aco/ac 7 ] A aco C {y} A y E ad 

{Definition of PBMH (Lemma L.4.2.1)} 

= 3 aco, y • (3 aci • P[aci/ac 7 ] A aci C ac 7 )[aco/ac 7 ] A aco C {?/} A y E ad 

{Substitution} 


= 3 aco, y, ac\ • P[aci/ac 7 ] A aci C aco A aco C {?/} A y £ ad 

{Predicate calculus} 

= 3 ?/, ac\ • P[aci/ac 7 ] A aci C {y} A y E ad {Lemma IL.5.3.11} 

= p2ac o ac2p(P) 


□ 


Lemma L.C.1.31 p2ac o ac2p o A2(P) = p2ac o ac2p(P ; A {s} = ad) 

Proof. 

p2ac o ac2p o A2(P) {Definition of A2} 

= p2ac o ac2p o PBMH(P ' A {s} = ad) {Lemma IL.C. 1.301} 

= p2ac o ac2p o (P {s} = ac 7 ) 


a 


Lemma L.C.1.32 

p2ac o ac2p o A2(P) 


(P[0/ac 7 ] A ac 7 7 ^ 0) V (3 ?/ • P[{?/}/ac 7 ] A y G ac 7 ) 
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Proof. 


p2ac o ac2p o A2(P) {Lemma IL.C. 1.311 } 

= p2ac o ac2p(P ] A {s} = ac') {Definition of ] A and substitution} 

= p2ac o ac2p(P[{s | {s} = ac'}/ac']) {Lemma IL.5.3.11} 

= 3 aco, y • (P[{s | {s} = ac'} / ac'])[aco/ac] A aco C {y} A y e ac' 

{Substitution} 

= 3 aco, y • P[{s | {s} = aco}/ac / ] A aco C {y} A y E ac {Property of sets} 

= 3 aco, y • P[{s \ {s} = aco}/ac / ] A (aco = 0 V aco = {y}) A y G ac' 

{Predicate calculus} 

/ (3 aco, y • P[{s | {s} = aco}/ac'] A aco = 0 A y E ac') \ 

= V 

\ (3 ac 0 , y • P[{s \ {s} = ac 0 }/ac'] A ac 0 = {y} A y G ac') J 

{One-point rule} 


/ (3y • P[{s \ {s} = i[}/ac'] A y E ac') ^ 

= V 

V (3 V • P[{s | {«} = {y}}/ac'] Aye ac') / 

= (3 y • P[0/ ac'] Aye ac') V (3 y • P[{y}/ac'] Aye ac') 
= (P[0/ac'] A 3 y • y e ac') V (3 y • P[{y}/ac'] Aye ac') 
= (P[0/ac'] A ac' ^ 0) V (3 y • P[{y}/ac'] Aye ac') 


{Property of sets} 

{Predicate calculus} 
{Property of sets} 


□ 


C.2 Relationship with Extended 
Binary Multirelations 

C.2.1 d2bmb 

Theorem T.4.3.1 Provided P is a design, 
bmho.1,2 o d2bmb(A(P)) = d2bmb(A(P)) 

Proof. 


bmho,i,2 ° d2bmb(A(P)) 


{Definition of bmh 0 ,i. 2 } 
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= 


= 


= 


s : State, ss : P State± 

3 sso : P State± • 

((s, sso) G d2bmb{A{P )) V (s, sso U {_L}) G d2bmb(A(P ))) 
A ((s, {_L}) G d2bmb(A(P)) o (s, 0) G d2bmb(A(P))) 

A ss 0 C ss A (_!_ G ssq AlG ss) 


s : State, ss : P State 
3 ssq : P State_ 


{Lemma IL.C.2.41} 


d sso : Jr Dtate± • 

((s, sso) G d2bmb{A(P )) V (s, sso U { J_}) G d2bmb{A(P ))) 
A ss 0 C ss A (1 G ss 0 1 G ss) 


s : State, ss : P State _l 

3 ss 0 : PS'taiej_ • (s, ss 0 ) G d2bmb( y A(P )) 


{Predicate calculus} 


V 


A ss 0 C ss A (1 G sso 1 G ss) 

3 ss 0 : P State • (s, ss 0 U {_L}) G d2bmb(A{P)) 
A ssq C ss A (1 G ss 0 1 G ss^ 


/ 

{Lemmas IL.C.2.21 and IL.C.2.31} 


s : State, ss : P State± 

3 aco : P State • 

(Pf[aco/ac'} V (P t [aco/acf] A ss 7 ^ 0 A ± ^ ss)) A aco C ss 


V 


(3 ac 0 : P .S'tate • P^[ac 0 /ac'] A ac 0 C ss) 

{Predicate calculus and Lemma IL.C.2.11 } 

= d2bmb(A(P)) 


□ 


Lemma L.C.2.1 (d2bmb-A- healthy) Provided P is a design, 


d2bmb(A(P)) 


s : State, ss : P State± 

3 aco : P State • 

(Pf[aco/ac'] V (P*[aco/ac'] A ± ^ ss A ss 7 ^ 0)) A aco C ss 
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Proof. 


d2bmb(A(P)) {Definition of A and assumption: P is a design} 

= d2bmb(~^ PBMH(F / ) b PBMH(P*) A ac' ± 0) {Definition of PBMH} 

= d2bmb{-> (P? ; ac C ac ') b ( P t ; ac C ac') A ac' 7 ^ 0) 


{Definition of d2bmb (Lemma L.C.2.8)} 


= 


s : State, ss : P State± 

((-1 (Pf ; ac C ac') =>• ((P t ; ac C ac') A ac' 7 ^ 0))[ss/ac'] A _L ss) 

V 

((P^ ; ac C ac')[ss\ {_L}/ac'] A 1 e ss) 

{Definition of sequential composition} 


= < 


r 

s : 

State, ss : P State± 





(, 

^ -1 (3 aco : P State • P^[aco/ ac'] A aco C ac') ^ 

\ 






[ss/ac'] 





^ (3 aco : P State • P t [aco/ac'] A aco C ac' A ac' 7 ^ 0) ) 





^ A 1 ss 




V 




< 

((3 ac 0 : P State • P^[ac 0 /ac'] A ac 0 C ac')[ss \ {J_}/ac'] A 1 G ss) 

> 


{Type: _L f ac'} 


s : State, ss : P State ±_ 

( ( f 3 ac 0 : P State± • P f [ac 0 /ac'] A ac 0 C ac' ^ ^ 
Al^ aco A 1 ac' 


= < 


3 ac 0 : P State±_ • P'[ac 0 /ac'] A ac 0 C ac' 
\ 1 Al^ aco A 1 ^ ac' A ac' 7 ^ 0 


[ss/ac'j 


\A1^ 


ss 


/ 


V 


/ / 3 aco : P State± • PRaco/ac'] A aco C ac' \ \ 

. 1 / A 1 / / [ss \ U}/ac'] 

Alf aco A 1 f. ac 


\ A 1 e ss 


{Substitution} 
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= 


= 


= 


s : State, ss : P State± 

( ( f 3 aco : P State± • Pf[aco/ ac'] A aco C ss \ \ 
A ± ^ aco A ± ^ ss 


3 aco : P State± • P t [aco/ac'] A aco C ss 
\ \ A 1 ^ aco A _L ^ ss A ss 7 ^ 0 


/ 


V a p i 


ss 


) 


V 

/ / 3 aco : P State± • Pf[aco/ac'] A aco C (ss \ {-L}) \ ^ 

\ A _L <£ ac 0 A P ^ (ss \ {P}) y 

\ A P e ss 

{Propositional calculus and property of sets} 

s : State, ss : P State± 

3 ac 0 : P State± • P^[ac 0 / ac'] A ac 0 C ss 
A ± ^ aco A P y ss 

V 

3 ac 0 : P State± • P*[ac 0 /ac / ] A ac 0 C ss 
A ± ^ ac 0 A P y ss A ss 7 ^ 0 

V 

3 ac 0 : P State± • P^[ac 0 /ac'] A ac 0 C (ss \ {P}) 

Al^ ac 0 AlGss 


{Property of sets} 


s : State, ss : P State± 

3 ac 0 : P State± • P^[ac 0 /ac'] A ac 0 C ss 
Al^ aco A P y ss 

V 

3 ac 0 : P State± • P*[ac 0 /ac / ] A ac 0 C ss 
A P ^ aco A P y ss A ss 7 ^ 0 

V 

^ 3 ac 0 : P State± • Pf[ac 0 /ac'] A \ 
(V x : P State±_ • x E ac 0 1 6 ss) A 
(V x : P State± • x E aco =>■ x ^ {P}) 

^ A P ^ aco A P G ss J 


{Propositional calculus, property of sets and Lemma L.B.5.4} 
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= < 


= < 


s : State, ss : P State± 

(3 aco : P State j_ • Pf[aco/ac '] A aco C ss A 1 ^ aco A _L ^ ss) 

V 

(3 ac 0 : P State j. • P*[ac 0 /ac'] A ac 0 C ss A 1 ^ ac 0 A _L ^ ss A ss ^ 0) 

V 

(3 aco : P State± • P^faco/ac'] A aco C ss A 1 ^ aco A 1 G ss) 

{Propositional calculus} 

s : State, ss : P State± 

(3 aco : P State j_ • P^[aco/ac'] A aco C ss A 1 ^ aco) 

V 

(3 ac 0 : P State± • P'[ac 0 /ac'] A ac 0 C ss A 1 ^ ac 0 A _L ^ ss A ss 7 ^ 0) 

{Propositional calculus} 

s : State, ss : P State± 

3 aco : P State± • (P^[aco/ac'] V (P'faco/ac'] A _L ^ ss A ss 7 ^ 0)) 

A aco C ss A 1 ^ aco 

{Type restriction: _L ^ aco} 

s : State, ss : P State± 

3 aco : P State • 

(P^[ac 0 /ac'] V (P t [ac 0 /ac'] A _L ^ ss A ss ^ 0)) A ac 0 C ss 


□ 


Lemma L.C.2.2 Provided P is a design, 


3 ssq : P State± 


( (s, sso U {T}) G d2bmb(A(P)) ^ 
A 

\ ss 0 C ss A (1 G ssq 1 G ss) / 


3 ac 0 : P State • P-' [ac 0 /ac'] A ac 0 C ss 


Proof. 

3 ss 0 : P State± • (s, ss 0 U {T}) G d2bmb(A(P)) A ss 0 C ss A (1 G ss 0 1 G ss) 


{Definition of d2bmb(A(P))} 
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( 3 ss 0 : P State± ^ 

/ 

s : State , ss : P State± 

. , ,. 3 acn : P State • 

= • 0, ss 0 U {_L}) e , 

( Pf[ac 0 /ac '] V (P t [ac 0 /ac'] A ss ^ 0 A _L ^ ss)) 

A aco C ss 

\ A sso C ss A (1 6 sso ss) j 

{Property of sets} 

^ 3 sso : P State _l, aco : P State • ^ 

= (P f [ac 0 /ac'] V (P t [ac 0 /ac'] A (ss 0 U {_L}) ^ 0 A 1 ^ (ss 0 U {_L}))) 

\ A ac 0 C (ss 0 U {_L}) A ss 0 C ss A (1 G ss 0 1 G ss) / 

{Property of sets and predicate calculus} 

/ 3 ss 0 : P State± , ac 0 : P State • \ 

l P^faco/ac'] A ac 0 C (ss 0 U {3-}) A ss 0 C ss A (1 G ss 0 1 G ss) J 

{Property of sets} 

f 3 ss 0 : P State±, ac 0 : P State • \ 

y Pf[ac 0 /ac'] A (ac 0 \ {_L}) C ss 0 A ss 0 C ss A (1 G ss 0 Al G ss) J 

{Type of ac' : _L ^ ac', and property of sets} 

/ 3 ss 0 : P State±, ac 0 : P State • \ 

l P f [aco/ac'} A aco C sso A sso C ss A (1 G sso 1 G ss) J 

r t-\ i i i 'i 


3 ss 0 : P State j_, ac 0 : P State 


Pf[ac 0 /ac'} A ac 0 


{Predicate calculus} 


C ss 0 


ssq C ss A 1 G ssq A 1 G ss 


= V 


/ P3[ aCo / ac '] /\ aCo c sso 
3 ss 0 : P State± } ac 0 : P State • A 


= V 


3 ac 0 : P State • Pf[ac 0 /ac'] A ac 0 C ss A 1 G 


sso C ss A 1 ^ ss 0 A 1 ^ ss ) J 

{Predicate calculus} 


\ 3 aco : P State • Pf[aco/ac'] A aco C ss A 1 ^ ss 
3 ac 0 : P State • P^[ac 0 /ac'] A ac 0 C ss 


{Predicate calculus} 


□ 
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Lemma L.C.2.3 Provided P is a design, 

3 ss 0 : P State j_ • (s, ss 0 ) G d2bmb(A(P)) A ss 0 C ss A (1 G ss 0 _L G ss) 

3 ac 0 : P State • (P^aco/ac 7 ] V (P 7 [ac 0 /ac 7 ] A ss 7 ^ 0 A _L ^ ss)) A ac 0 C ss 


Proof. 


3 ss 0 : P State± • (s, ss 0 ) G d2bmb(A(P)) A ss 0 C ® A (1 6 ss 0 O 1 6 ss) 


/ 3 ss 0 • 

(s, ss 0 ) G <( 


{Definition of d2frm6(A(P))} 

\ 

\ 

s : State , ss : P State± 

3 aco : P State • 

(P^faco/ac'] V (P 7 [aco/ac'] A ss 7 ^ 0 A _L ^ ss)) 

A ac 0 C ss 

y A sso C ss A (1 G sso _L G ss) 

{Property of sets} 

( 3 ss 0 : P State±, ac 0 : P State • ^ 

(pf[aco/ac'] V (P t [aco/ac'] A sso 7 ^ 0 A _L ^ sso)) 

\ A aco C sso A sso C ss A (1 G sso 43- _L G ss) / 

^ / 3 sso : P State±, aco : P State • P f [aco/ac'] A aco C sso A sso C ss A ^ ^ 
l (1 6 ss 0 1 £ ss) 

V 

( 3 sso : P State _l, aco : P State • P 7 [aco/ac 7 ] A aco C sso A sso C ss A 
(1 6 sso 1 6 ss) A sso / 0 A 1 ^ sso 

{Predicate calculus} 


/ 


{Predicate calculus} 


/ 
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( f 3 ss 0 : P State |_, ac 0 : P State • P^[ac 0 /ac'] A ac 0 C ss 0 A ss 0 C ss 
y AlG 55o A 1 G ss 

V 

3 ss 0 : P State±, ac 0 : P S'taie • P^[ac 0 /ac'] A ac 0 C ss 0 A ss 0 C ss 
A J_ ^ sso A _L f. ss 

V 

( 3 ss 0 : P State±, ac 0 : P State • P^aco/ac'] A ac 0 C ss 0 A ss 0 C ss A 
A ss 0 7^ 0 A -L ^ ss 0 A _L ^ ss ^ y 

{Predicate calculus} 

\ 


/ (3 ac 0 : P S'tate • P^[ac 0 /ac'} A ac 0 C 

V 

(3 aco 

V 


C ss A 1 G ss) 

: P State • P^faco/ ac'} A aco C ss A 1 ^ ss) 

V 

\ (3 ac 0 : P State • P^aco/ac'] A ac 0 C ss A ss ^ 0 A 1 ^ ss) / 

{Predicate calculus} 

3 aco : P State • (P^[aco/ac'] V (P^aco/ac'j A ss 0 A J_ ^ ss)) A aco C ss 


□ 


Lemma L.C.2.4 Provided P is a design, 

(s, {_!_}) G d2bmb(A(P)) <=>■ (s, 0) G d2bmb(A(P)) 


Proof. 


(s,{_L}) G d2bmb(A{P)) (s,0) G d2bmb{A{P)) 

{Lemma IL.C. 2. Bl and Lemma IL.G.2.61 } 


= true 


a 


Lemma L.C.2.5 Provided P is a design, 
(s,{_L}) G d2bmb(A(P)) = P / [0/ac'] 


Proof. 


(s, {-L}) G d2bmb(A(P)) 


{Lemma IL.C.2.11} 
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= (*,{-L})e { 


s : State, ss : P State± 

3 aco : P State • 

( pf[aco/ac '] V (P t [aco/ac'] A ss d 0 A _L ^ ss)) 

A ac 0 C ss 

{Property of sets} 

= 3 ac 0 : ¥ State • (P^[ac 0 /ad] V (P t [ac 0 /ac'] A {_L} ^ 0 A 1 ^ { _L})) A ac 0 C {_!_} 

{Property of sets and predicate calculus} 

= 3 ac 0 : P State • P^[ac 0 /ac'] A ac 0 C {_!_} 

{Case-analysis on ac 0 and one-point rule} 

= P f [(D/ac'] 


□ 


Lemma L.C.2.6 Provided P is a design, 
(s, 0) G d2bmb(A{P)) = P f [(/}/ad] 


Proof. 


(s, 0) G d2bmb(A(P)) {Definition of d2bmb for P that is A-healthy} 


= (s, 0) G < 


s : State, ss : P State± 

3 aco : P State • 

(Pf[aco/ac'] V (P^aco/ad] A ss d 0 A _L ^ ss)) 
A ac 0 C ss 


> 


{Property of sets} 


= 3 aco : P State • (P^[aco/ad] V (P^aco/ac 7 ] A0^0A±^0))A aco C 0 

{Property of sets and predicate calculus} 


= 3 aco : P State • P^faco/ ad] A aco C 0 {Property of sets and one-point rule} 
= P / [0/ac'] 


□ 


Lemma L.C.2.7 Provided P is a design. 


(s, 0) G d2bmb(A(P)) (s, {_L}) G d2bmb(A{P)) = true 
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Proof. 

(s, 0) G d2bmb(A(P)) (s, {A}) G d2bmb(A(P)) 

{Lemma IL.C.2.01 and Lemma fL.C.2.51} 


= true 


□ 


Lemma L.C.2.8 Provided ok and ok' are not free in P and Q, 


d2bmb(P b Q) = < s, ss 


((P =>- Q)[ss/ac'] A _L ^ ss) 

V 

((- P)[(ss\{±})/ac']A±ess) 


Proof. 


d2bmb(P b Q) {Definition of d2bmb} 

(-> (P b QY (P b QY)[true/ok][ss/ac'} A A ss) 

= < s, ss V 

((P b QY[true/ok][(ss\ {±})/ac'] A A G ss) 

{Lemma IL.A.2.111 } 

(-i (oA; =>- -i Pf) => (P b Q) t )[^™ e /°^][ ss / ac/ ] A A ^ ss) 

= < s, ss V 

((ok =>- -■ Pf)[true/ok][(ss\ {A})/ac'j A A G ss) 

{Lemma IL.A.2.121 } 

(-i (oA: =>■ -i Pf) =>- {(ok A P l ) =>- Q t ))[frae/o/ l :][ss/ac / ] A 1 ^ ss) 

= { s, ss V 

((cA =>- -i pA)[tr?ze/oA;][(ss \ {A})/ac'] A A G ss) 

{Assumption: ok' is not free in P and Q} 

(-i (ok => -> P) =>■ ((o/c AP) A Q))[frrte/oA:][ss/ac / ] A 1 ^ ss) 

= { s, ss V 

((o/z =>• -■ P)[£rue/oA;][(ss \ {A})/ac'] A A G ss) 

{Substitution and assumption ok not free in P and Q} 

(-i (true AnP)4 ((true AP)a <5))[ss/oc'] A A ^ ss) 

= { s, ss V 

((true =>• -■ P)[(ss \ {A})/ac'j A A G ss) 


{Predicate calculus} 
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= < s, ss 


— < s, ss 


((P => (P => Q))[ss/ac'] A L ^ ss) 

V 

(h P)[{ss \ {±-})/ac'\ A less) 

((P =>■ <J)[ss/ac'] A _!_ $! ss) 

V 

((“■ p )i( ss \ {-*-})/ac'] A J_ G ss) 


{Predicate calculus} 


□ 


C.2.2 bmb2d 


( ((s, ac ') G B A 1 ^ ad A o/c') \ 


Lemma L.4.3.1 bmb2d(B ) = ok 


V 


\ (s, ac' U {_L}) G 5 


Proof. Follows from the definition of design and type restriction on ac'. 


□ 


Theorem T.4.3.2 Provided B satisfies bmh 0 ,i, 2 ; A o bmb2d(B) = bmb2d(B). 


Proof. 


A o bmb2d(B) {Assumption: B = bmh 0 ,i, 2 (P) and Lemma L.C.2.10} 

( -i ((s, ac! U {_L}) G 5 ; ac C ad) ^ 

{Lemma IL.C.2.91} 


= A 


= A 


h 


\ ((s, ad) G B ; ac C ad) A (s, 0) ^ S / 
/ -i ((s, ad U {_!_}) G B ; ac C ad) 


\ 


h 


\ ((s, ad) G B ; ac C ad) A ac' 7 ^ 0 A (s, 0) ^ 5 / 


{Definition of PBMH} 


/ - PBMH((s, ac' U {_L}) G B) 


= A 


\ 


h 


V PBMH((s, ad) G 5) A ac' ^ 0 A (s, 0) ^ 5 

/ (PBMH o PBMH((s, ac' U {T}) G 5)) 

h 

\ PBMH(PBMH((s, ac') G 5) A ac' ^ 0 A (s, 0) £ 5) A ad ± 0 / 


{Definition of A} 

\ 


{(PBMH-idempotent) Theorem T.E.2.1} 


















344 


APPENDIX C. ANGELIC DESIGNS (A) 


/nPBMH((s,ac'U{i})6B) \ 

h 

\ PBMH(PBMH((s, ac ') G B) A ac' ± 0 A (s, 0) £ B) A ac' ± 0 / 

{Lemma IL.R4.4l and Lemma IL.E.4.51} 

nPBMH((s,flc'U{i})6B) \ 

h 

p BMH [ PBMH((s > ac ') G A pbmhk ^ 0) \ A 


V 


A PBMH((s, 0) £ 5) 


\ 


/ _ 

{Lemma IL.E.3.11} 


/ 


/ nPBMH((s,ac'U{l})6B) 
h 

/ PBMH((s, ac') G B) A PBMH(«c' ^ 0) 
y y A PBMH((s, 0) i B) A ac' ^ 0 

{Lemma |L.E.4.4 and Lemma L.E.4.5 and predicate calculus} 

/nPBMH((s,ac'U{i})eB) \ 

h 

V PBMH((s, ac') 6 B) A ac' / 0 A (s, 0)^5 / 

{Definition of PBMH and Lemma IL.G.2.91 } 

^ -i ((s, ac' U {_L}) G 5 ; ac C ac') ^ 
h 

^ ((s, ac') G B ; ac C ac') A (s, 0) ^ 5 / 

{Assumption: 5 = bmho.i^fB) and Lemma L.C.2.10} 


= bmb2d(B) 


□ 


Lemma L.C.2.9 


((s, ac') G B ; ac C ac') A (s, 0) ^ 5 
-«• 

((s, ac') G B ; ac C ac') A ac' ^ 0 A (s, 0) ^ B 


Proof. 

((s, ac') G B ; ac C ac') A (s, 0) ^ 5 {Definition of sequential composition} 

-v=> (3 ac 0 : P S'tate • (s, ac 0 ) G 5 A ac 0 C ac') A (s, 0) ^ 5 {Predicate calculus} 
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/ (3 ac 0 : P State • (s, ac 0 ) G B A ac 0 C ac' A (ac' = 0 V ac' 7 ^ 0)) \ 




A 


V M)^ 




{Predicate calculus} 

( (3 aco : P State • (s, aco) G B A aco C ac' A ac' = 0) \ 

V A (s,0)^5 

\ (3 ac 0 : P State • (s, ac 0 ) G 5 A ac 0 C ac' A ac' 7 ^ 0) / 

{Property of sets and case analysis on aco} 
/ ((s, 0) G 5 A ac' = 0) \ 




V 


A (s, 0) £ 5 


\ (3 aco : P State • (s, aco) G 5 A aco C ac' A ac' 7 - 0) / 

{Predicate calculus} 

(3 aco : P State • (s, aco) G 5 A aco C ac' A ac' 7 ^ 0) A (s, 0) ^ 5 

{Definition of sequential composition} 

<G> ((s, ac') G 5 ; ac C ac' A ac 7 ^ 0) A (s, 0) ^ B 


□ 


Lemma L.C.2.10 Provided B satisfies bmho.i, 2 , 


bmb2d(B ) 


/ -1 ((s, ac' U {P}) E B ; ac C ac') ^ 

h 

^ ((s, ac') G 5 ; ac C ac') A (s, 0) ^ 5 / 


Proof. 


bmb2d(B) 

= bmb2d(hmh 01 2(B)) 

/ /7(.,{i})eSA(.,»)eI) 


{Assumption: 5 satisfies bmh 0 ,i. 2 } 
{Lemma IL.C.2.111 } 

\ \ 


A 


/ ((s, ac' U {P}) G 5 ; ac C ac') \ 


A 


V (s, {P}) ^ B A (s,0) ^ B / 


h 


\ ((s, ac') G 5 ; ac C ac') A (s, {P}) ^5A(s,0)^5 / 


{Predicate calculus} 
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\ 


( ( ( (Mi}) e B A (s,0) G B) \\ 

V 

\ ((s, ac' U {_L}) G B ; ac C ac') ) 

A 

/ (( S ,{T})g5A( S ,0)g5) \ 

V 

V (( S ,{i})^A( S ,0)^) / 

h 

y ((s, ac') G B ; ac C ac') A (s, {_L}) ^ B A (s, 0) ^ B ) 


{Predicate calculus} 


/ / / (( Sl {l})G5A(j,0)G5) \\ 

V 

^ ((s, ac! U {_!_}) G B ; ac C ac') / 


A 


V ((s,{±» GB»(s,0)G 5) 


\ 


/ 


h 


\ ((s, ac') G 5 ; ac C ac') A (s, {_L}) ^5A(s,0)^5 / 

{5 is BMH2-hcalthy, as 5 satisfies bmho.1.2 and Theorem T.3.3.1} 
( /( S) {1})GH 




V 




\ ((s, ac' U { _L}) G B ; ac C ac') / 


h 


\ ((s, ac') G 5 ; ac C ac') A (s, 0) ^ 5 / 

{Definition of sequential composition} 

/ / (s,{_L}) g b \\ 

V 


\ (3 aco : P State • (s, aco U {_L}) G B A aco C ac') / 


h 


\ ((s, ac') G 5 ; ac C ac') A (s, 0) ^ S / 

{Instantiation of existential quantifier for aco = 0} 

^ -1 (3 ac 0 : P State • ( s , ac 0 U { _L}) G B A ac 0 C ac') ^ 
h 

^ ((s, ac') G 5 ; ac C ac') A (s, 0) ^ 5 / 

{Definition of sequential composition} 
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/ -i ((s, ac' U { _L}) G B ; ac C ac') ^ 

h 

\ ((s, ac') G B ; ac C ac') A (s, 0) ^ B ) 

□ 


Lemma L.C.2.11 


bmb2d(hmh 0) i, 2 (5)) 


( /-((s,{p})g5a(s,0)g5) \ 

A 

\ -i (((s, ac' U {_L}) G B / ac C ac') A (s, {_L}) ^ 5 A (s, 0) ^ 5) / 
h 

V((». ac') G 5 ; ac C ac') A (s, {_L}) ^ 5 A (s,0) ^ 5 




Proof. 

bmb2d(bmh 0)1) 2(B)) 

( ((s, ac') G bmh 0 . 1 , 2 ( 5 ) A ± ^ ac' A ok!) ^ 
= ok ^ V 

\ ((s, ac' U {_L}) G bmh 0 , 1 , 2 ( 5 ) A _L ^ ac') / 


{Definitifon of bmb2d} 


= ok 


( 


( 


(s, ac') G < 


A 


s : State, ss : P State± 

3 ss 0 • ((s, ss 0 ) G 5 V (s, ss 0 U {_L}) G 5) 
A ((s,{_L» G5«(s,0)G 5) 

A ss 0 C ss A (1 G s«o 1 G ss) 


{Definition of bmh 0 . 1 , 2 ( 5 )} 

\ \ 


y J_ ^ ac' A ok' 


) 


V 


/ 

(s, ac' U {_L}) G \ 
\ A L ^ ac' 


\ 


s : State, ss : P State± 

3 ss 0 • ((s, ss 0 ) G 5 V (s, ss 0 U {_L}) G 5) 

A ((s, {-L}) G5^(s,f))G 5) 

A ss 0 C ss A (1 G sso 1 G ss) 

' / 

{Property of sets and predicate calculus} 
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3 ss 0 • ((s, ss 0 ) G B V (s, ss 0 U {_L}) G B) ' 

A ((s, {_!_}) G B AA (s,0) G 5) 

A sso C ac 7 A (1 G ^ -L G ac ') 

A _L ^ ac' A ofc 7 j 

3 ss 0 • ((s, sso) G 5 V (s, ss 0 U {3-}) G 5) 

A ((s,{-L}) G^(s,f))G 5) 

A sso ^ (ac 7 U {_L}) A (_L G ss 0 AA _L G (ac 7 U {_L})) 
A _L ^ ac 7 


{Predicate calculus} 


3 ss 0 • ((s, ss 0 ) G 5 V (s, ss 0 U {_L}) G B ) 
A ((s,{_L}) G 5 AA ( 5 , 0 ) G B ) 

A ss 0 C ac! A _!_ ^ ss 0 A _L ^ ac' A o/d 

3 ss 0 • ((s, ss 0 ) G B V (s, ss 0 U {_L}) G B) 
A ((s, {_!_}) G fitt (s,|) G B) 

A ssq <= (ac 7 U {_L}) A _L G ss 0 A _L ^ ac 7 


((s,{±» G (5,0) G 5) 


{Predicate calculus} 


^ 3 ss 0 • (s, ss 0 ) G B A ss 0 C ac' A _L ^ ss 0 A ^ ac' A o/d j 

V 

^ 3 sso • (s, sso U {_L}) G B A sso C ac' A 1 ^ sso A 1 ^ ac 7 A o/d j 

V 

^ 3 sso • (s, sso) G B A sso C (ac 7 U {_L}) A _L G sso A _L ^ ac 7 j 

V 

^ 3 ss 0 • (s, ss 0 U {_L}) G B A ss 0 C (ac 7 U {_L}) A _L G ss 0 A _L ^ ac 7 

{Property of sets} 
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= ok =>■ 


= ok =>■ 


= ok =>• 


1 ((s,{-L» e 5^ (5,0) G B) 


\ 


A 


^ ^ 3 ss 0 • (s, sso) G fi A sso ^ ac' A 1 ^ sso A 1 ^ ac' A o/j' j 

V 

^ 3 ss 0 • (s , ss 0 U {_L}) G 5 A ss 0 C ac' A 1 ^ ss 0 A 1 ^ ac' A o&' j 

V 

^ 3 ssq • (s, ssq) E B A ssq C (ac' U {_!_}) A _!_ G sso A ^ ac' ^ 


\ 


V 


V 


y y ^ 3 ss 0 • (s, ss 0 ) G 5 A ss 0 C (ac' U {_L}) A _L G ss 0 A _L ^ ac' ^ y y 

{Predicate calculus} 

f ((s,{±})EB^(s,Q)EB) \ 

A 

^ ^ 3 ss 0 • (s, ssq) G B A ssq C ac' A 1 A 1 ^ ac' A ok' ^ ^ 


V 


^ 3 ss 0 • (s, ssq U {_!_}) G B A ssq ^ fl c' A 1 ^ ssq A 1 ^ ac' A o&' j 


V 


^ y ^ 3 ss 0 • (s, ss 0 ) G B A ss 0 C (ac' U {_L}) A _L G ss 0 A -L ^ ac' J y 

{Predicate calculus: introduce fresh variable} 

' ((s, {!}) G 5 -v^> (s, 0) G B) \ 




A 


( ( 3 sso • (s, sso) G B A sso C ac' A 
y _L y ss 0 A _L ^ ac' A ofc' 


\ 


V 


V 


3 t, sso • (s, t) G B A t = sso U {_L} A sso C ac' 
A _L y ss 0 A _L ^ ac' A o&' 


3 sso • (s, sso) E B A ssq C (ac' U {_L}) 
y ^ A _L G ssg A _L ^ ac' 


7 


7 


{Lemma IL.B.5.21} 
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/((i,(i})€B«(i,()eS) \ 

A 

^ ^ 3 ss 0 • (s, ss 0 ) G B A ss 0 O ad A _L ^ ss 0 A _L ^ ac 7 A o/j 7 j ^ 


V 


V 


3 t, sso • (s, t) G B A t \ { J_} = sso A ssq C ac 7 
A 1 G t A 1 ^ ac 7 A oi 7 


/ 


/ 


3 ss 0 • (s, ssq) G B A ss 0 C (ac 7 U {3-}) 
y ^ A _L G sso A _L ^ ac 7 

{One-point rule and substitution} 

AG{J-})6B»G0)6B) n 

A 

^ ^ 3 sso • (s, sso) G B A sso C ac' A 1 ^ sso A 1 ^ ac 7 A o/c 7 j ^ 

V 

^ 3 t • (s, t) G B A (£ \ {_L}) C ac 7 A 1 G i A 1 ^ ac 7 A o/j 7 j 

V 

^ ^ 3 sso • (s, sso) G B A sso C (ac 7 U {_L}) A J_ G sso A _L ^ ac' j y 

{Property of sets and variable renaming} 

/" ((s,{-L}) G5«(s,0)G 5) 

A 

^ ^ 3 ss 0 • ( s , ss 0 ) G 5 A ss 0 O ac 7 A 1 ^ ss 0 A 1 ^ ac 7 A ok' ^ ^ 

V 

^ 3 sso • (s, sso) G B A sso C (ac 7 U {_L}) A J_ G sso A J_ ^ ac 7 A oA: 7 j 

V 

y y ^ 3 sso • (s , sso) G 5 A sso C (ac 7 U {J_}) A J_ G sso A J_ ^ ac 7 ^ 

{Predicate calculus: absorption law} 

/ (M±})G5^( S ,0)G5) \ 

A 

^ ^ 3 ss 0 • (s, ssq) G B A ssq O ac' A J_ ^ ssq A J_ ^ ac 7 A o/j 7 j ^ 


/ 


V 


V 


^ ^ 3 sso • (s, sso) G B A sso C (ac 7 U {_L}) A J_ G sso A J_ ^ ac 7 ^ y 

{Lemma IL.B.5.11} 
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= ok => 


= ok =>■ 


= ok => 


= ok =>■ 


( ((s,{-L» e (5,0) G B ) 


A 


( ( 3 ssq • (s, ssq ) G 5 A sso C ad A 1 ^ sso 
A J_ ^ ac' A ofc' 


V 


3 sso • (s, ssq U {_L}) G B A sso C ac' 
W A (1 G ss 0 1 G ac') A L ^ ac' 


l ((!,{i))£«e(!,l)eS) 

A 


) 


) 


{Predicate calculus} 

\ 


/ ^ 3 ss 0 • ( s , ssq) G B A ss 0 C ac' A 1 ^ ss 0 A 1 ^ ac' A o&' j \ 


V 


y ^ 3 sso • (s, sso U {3-}) G B A sso ac' A _L ^ sso A J_ ^ ac' j J 

{Predicate calculus} 

( (((5, {-L}) G B A (s,|) G B) V ((*, {_L}) ^BA (s,0) ^ 5)) \ 


A 

^ ^ 3 ss 0 • (s, ss 0 ) G 5 A ss 0 C ac' A 1 ^ ss 0 A 1 ^ ac' A ofc' j ^ 

V 

y y ^ 3 sso • (s, sso U {J_}) E B A sso C ac' A L ^ ssq A L ^ ac' y y 

{Instantiation: consider case where sso = 0} 

( (((a, U}) G B A ( 5 , 0) G B) V (( 5 , {_L}) i B A (s, 0) £ 5)) \ 

A 

( ( M) \ \ 

V A J_ ^ ac' A ofc' 
y 3 ss 0 • (s, ss 0 ) G i? A ss 0 C ac' A J_ ^ ss 0 / 

V 

\ 

V A _L y ac' 

\ 3 sso • (s, sso U { _L}) G B A sso C ac' A 1 ^ sso / ) 

{Predicate calculus: distribution} 
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\ 3 sso • (s, sso) G B A sso C ac' A 1 ^ ssq 
A _L ^ ad A oft' A (s, {_L}) G B A (s, 0) G B 


\ 3 ss 0 • (s, ss 0 ) G B A ss 0 C ac' A 1 ^ ss 0 
A _L ^ ac' A oft' A (s, {_L}) ^ B A (s, 0) ^ B 


M-L}) 

V 

\ 3 sso • (s, sso U {_L}) G B A sso C ac' A 1 ^ sso 
A _L ^ ac' A (s, {_L}) G B A (s, 0) G B 


(^ai) 


y 3 ss 0 • (s, ss 0 U {3-}) G 5 A ss 0 C ac' A 1 ^ ss 0 / 
y A 3_ y ac' A (s, {!}) ^ 5 A (s,0) ^ S y / 

{Predicate calculus: absorption law} 

( -L £ ac' A oft' A (s, {_!_}) G B A (s, 0) G B ) \ 


\ 3 sso • (s, sso) G 5 A sso C ac' A J_ ^ sso 
y A _L y ac' A oft' A (s, {3-}) ^ B A (s, 0) ^ 5 
V 

^ 3_ <y ac' A (s, {3_}) G B A (s,0) G B j 


/M-L}) \\ 

v 

y 3 sso • (s, sso U {3_}) G B A sso C ac' A 3_ y sso ) 

A 3_ <y ac' A (s, {3_}) ^ B A (s,0) ^ B J ) 

{Instantiation: consider case where ssq = 0} 
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/ ( _L (£ ad A ok' A (s, {_!_}) G B A (s, 0) G B ) \ 


= ok 


V 


/ 3 ss 0 • (s, ss 0 ) G 5 A ss 0 C ad A 1 ^ ss 0 \ 
A _!_ ^ ac! A oV 
V A( S ,{1})^A( S ,0)^ 


V 


^ L ^ ac' A (s, {_!_}) G B A (s, 0) G B ) 






V 

3 sso • (s, sso U {_L}) G 5 A s«o C ac' A 1 ^ sso \ 

A _L ^ ac' 

V \ A( S ,{1})^A( S ,0)^ 

{Predicate calculus: absorption law} 

/ / 3 ss 0 • (s, ss 0 ) G B A ss 0 C ac’ A 1 ^ ss 0 \ N 

A _L ^ ac' A oV 

V A( S ,{1})^A( S ,0)^ 


= ok 


) 


V 


( _L ^ ac' A (s, {_!_}) G B A (s, 0) G B ) 


V 


V 

/ / ok 

A 

—I 

A 


V 


/ 3 ss 0 • (s, ss 0 U {_L}) G B A ss 0 C ac' A 1 ^ ss 0 ^ 
A _L ^ ac' 

V A( S ,{1})^A( S) 0)^B / 


/ 


{Predicate calculus} 


(_L ^ ac' A (s, {_!_}) G B A (s, 0) G 5) 


^ 3 sso • (s, sso U {_L}) G B A sso C ac' A 1 ^ sso \ 
A _L ^ ac' 

\A( S ,{1})^A( S ,0)^ 


/ 3 sso • (s, sso) G B A sso C ac' A 1 ^ sso \ 
A _L ^ ac' A o/d 


V \a(s,{1})^A(5,0)^ 


/ / 

{Variable renaming and substitution} 
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( 


( ok 
A 

—I 

A 


V 


(_L ^ ac' A (s, {_!_}) G B A (s, 0) G B) 


( 3 sso • ((s, ac' U {_L}) G B A 1 ^ ac')[sso/ac'] A (ac C ac')[sso/ac] ^ 
A _L ac' 

\A( S ,{1})^A( S ,0)^ 


3 sso • ((s, ac') G B A 1 ^ ac')[sso/ac'] A (ac C ac')[sso/ac] \ 

A _L ^ ac' A o/c' 

V \A( S ,{1})^A( S ,0)^ / 

{Definition of sequential composition and type of ac' : 

l f ok ^ \ 

A 

~~ 1 (( 5 > {!}) G 5 A (s, 0) G B) 


ac'} 


A 


V 


((s, ac' U {_L}) G B ; ac C ac') 


/ 


{Definition of design} 




\ 


((s, ac') G 5 ; ac C ac') A o/c' 

V V A( S ,{i})^A( S ,|)^ 

( / -i ((s, {_L}) G 5 A (s, 0) G B) 

A 

\ -i (((s, ac' U {_L}) G 5 ; ac C ac') A (s, {_L}) ^ 5 A (s, 0) ^ 5) / 
b 

V ((-, ac') G 5 ; ac C ac') A (s, {_!_}) ^ B A (s, 0) ^ B 


□ 


Lemma L.C.2.12 Provided P is a design, 

(s, {si : State± \ true}) G d2bmb(P) = P^[{si : State \ true}/ac '] 


Proof. 


(s, {si : State\ true}) G d2bmb(P) 


{Definition of d2bmb} 
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( 


\ 

s : State, ss : P State± 

\ 

(s, {si : State± true}) G < 


((-, pf => P')[ss/ac'] A _L ^ ss) 

V 

> 

V 


(Pf[ss\ {_L}/ac'] A 1 G ss) 

/ 


{Property of sets} 


f({ 


\ 


Pf =>■ P')[ss/ac'][{si : State± \ true}/ss 
A _L ^ {si : State ±_ \ true} 


P/[ 55 \{±}/ac'][{5i : State± \ true}/ss\ 
A _L G {si : State\ true} 


]\\ 


J 


{Property of sets and propositional calculus} 
= P- f [ss\ {_!_}/ac'][{si : State± \ true}/ss\ {Substitution} 

= P f [{ Sl : State± j true} \ {_L}/ac'] {Property of sets} 

= P f [{ Sl : State \ true}/ac ] 


□ 


Lemma L.C.2.13 Provided _L ^ ac' and P is a design, 

{s : State | ( s, ac' U {_!_}) G d2bmb(P)} = {s : State j P^} 


Proof. 


{s : State | ( s, ac' U {_!_}) G d2bmb(P)} {Definition of d2bmb} 


/ 

s : State 

( s, ac' U {_!_}) G < 

/ 

\ 

s : State, ss : P State± 

(-i P f P 4 )[ss/ac'] A L ^ ss) 

V 



> 

< 



( Pf[ss \ {_L}/ac'] A 1 G ss) 

> 


{Property of sets} 


= < s : State 


= | s : State 
= l s : State 


(-1 Pf P l )[ss / ac')[ac' U {_L}/ss] A _L ^ (ac' U {_L})) 

V 

( Pf[ss \ {IS} / ac'][ac' U {_L}/ss] A _L G (ac' U {-L})) 

{Property of sets} 

(P f [ss \ {_L}/ac'][ac' U {_L}/ss]) ) {Substitution} 

(Pf[ac'U{±}\{±}/ac'}) 

{Property of sets, and assumption that _L ^ ac'} 



356 


APPENDIX C. ANGELIC DESIGNS (A) 


= {s : State \ pf} 

□ 

Lemma L.C.2.14 Provided _!_ ^ ac' and P is a design, 

{s : State | ( s, ac ') G d2bmb(P)} = {s : State | (- 1^4 P')} 


Proof. 

{s : State | (s, ac ') G d2bmb(P)} {Definition of d2bmb} 





\ 

s : State, ss : P State± 


s : State 

( s, ac') G < 


(-1 Pf =>- P^lss/ac'] A L ^ ss) 

V 

> 




(P^ss \ {_L}/ac'] A _L G ss) 

> 


{Property of sets} 


= < s : State 


pf _v, pt)[ ss / ac f][ ac f/ss\ A _L ^ ac') 


V 


(P^[ss \ {_L}/ac'][ac'/ss] A _L G ac') 

(-. P f => P') A JL £ ac') 

V 

(P^[ac' \ {_L}/ac'] A _L G ac') 

{s : State | ( — < Pf =>- P')} 


= < s : S'tate 


{Subsitutiton} 


{Assumption: _!_ ^ ac'} 


□ 


Lemma L.C.2.15 Provided P and Q are designs. 


(s, {s : State | (s, ac U {_!_}) G d2bmb(P)}) G d2bmb(Q) 


(-> Q? (,)*)[{ s : State \ P f }/ac'] 


Proof. 


(s, {s : State | (s, ac U {_!_}) G d2bmb(P)}) G d2bmb(Q) 
= (s, {s : State \ pf}) G d2bmb(Q) 


{Lemma IL.C.2.131 } 
{Definition of d2bmb} 
















C.2. RELATIONSHIP WITH EXTENDED BINARY MULTIRELATIONS 357 


= (s, {s : State \ P ^}) G < 


s : State, ss : P State± 

(-1 Qf =^- Qflss/ac'} A _L ^ ss) 
V 

\ {_L }/ac'} A 1 G ss) 


{Property of sets} 

( ((-i Qf =>■ f?*)[ss/ac'][{s : State \ Pf}/ss} A {s : State \ Pf}) ^ 

= V 

\ (^[ss \ {_L}/ac'][{s : State \ Pf}/ss] A _L G {s : State \ Pf}) J 

{Property of sets} 

= (-i (/ => Q'fss / ac')[{s : State \ pf}/ss] {Substitution} 

= (-. Q f => Q 4 )[{s : State \ P f }/ac'} 


□ 


Lemma L.C.2.16 Provided P and Q are designs, 

( s, {s : State | ( s, ac) G d2bmb(P )}) G d2bmb(Q ) 

(“i Qf (3 4 )[{s : State | (~< pf P')} / ac') 


Proof. 


( s, {s : State | ( s, ac') G d2bmb(P)}) G d2bmb(Q) {Lemma IL. C.2.1 41 } 

= (s, {s : State | (-> pf => P *)}) G d2bmb(Q) {Definition of d2bmb} 

s : State, ss : P State± 

(-i Qf Qflss/ac'} A L f ss) 


= (s, {s : State | ( — i pf P t )}) G < 


V 


(Qfss \ {_L}/ ad] A 1 G ss) 

{Property of sets} 

( { Qf =>- Qffs / ac'][{s : State | (-> Pf => Pfy/ss] ^ ^ 

A JL f {s : State | (- P / ^ Pf} 

V 

/ Qf[ss \ {_L}/ac'][{s : State \ (-i Pf => -P 4 )}/ss] 

V { AlG{s: State \ (-. P f =>• Pf} 

{Property of sets and propositional calculus} 

= (-i Qf => Qf[ss / ac')[{s : State | (-> pf P 4 )}/ss] {Substitution} 


/ 


















358 


APPENDIX C. ANGELIC DESIGNS (A) 


= (~ 1 Qf <5^) [{s : State | ( — > P^ =>■ P t )}/ac' 


□ 


Lemma L.C.2.17 

bmb2d(B 0 ; Bf) 


/ ((s, {si : B£a£e | (si, ac') G B x }) 6 5 0 A 1 ^ ac' A o&') \ 


ok =>■ 


V 

((s, {si : State± \ true}) 6 5q A 1 ^ ac') 


v r 

\ ((s, {si : State | (s x , ac' U {_L}) G B x }) G Bq A 1 ^ ac') ) 


Proof. 


bmb2d(B 0 ; B x ) {Definition of bmb2d} 

( ((s, ac') G (B 0 ; B x ) A _L ^ ac' A o/c') ^ 

= ok =$■ V 

\ ((s, ac' U {_L}) G (-B 0 ; Bi) A _L ^ ac') / 

{Definition of sequential composition} 

/ / / {s : State, ss : P State± |(s, {s x : State ± \ true}) G B 0 } \ \ 

(s, ac') G U 

y {s : State, ss : P State± |(s, {s x : State | (si , ss) G B x }) G B 0 } ) 


= ok 


\ 


y A _L ^ ad A ofc' 

\/ 

) 


V 

/ 

l {s : State, ss : P State± |(s, {s x : State±_ true}) G B 0 } \ 

\ 

(s, ac' U {-L}) G 

U 



\ {s : State, ss : P State j_ |(s, {s x : .State (s x , ss) G Bi}) G B 0 } / 


y A 1 ^ ac' 

{Property of sets and propositional calculus} 

/ 
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f ((s, {si : States \ true}) E B 0 A _!_ ^ ac' A ok') ^ 

V 


= ok =>■ 


((s, {si : State | (si, ac') E Bi}) E B 0 A _!_ ^ ac' A o&') 
V 


((s, {si : State± \ true}) E B 0 A 1 ^ ac') 

V 

^ ((s, {si : State | (si, ac' U {_!_}) G L>i}) G B 0 A _!_ ^ ac') / 

{Propositional calculus: absorption law} 

/ ((s, {si : State | (si, ac') G Bi}) E B 0 A L ^ ac' A ok') \ 


= ok ^ 


V 

((s, {si : State± \ true}) E B 0 A 1 ^ ac') 


V 

^ ((s, {si : State | (si, ac' U { _L}) G B x }) E B 0 A _L ^ ac') / 


fi 


C.2.3 Isomorphism: d2bmb and bmb2d 


Theorem T.4.3.3 Provided B is BMH0-BMH2-/ieal%, 

d2bmb o bmb2d(B) = 5 


Proof. 


d2bmb o bmb2d(B) {Assumption: S is BMH0-BMH2-healthy} 

= d2bmb o 6m&2<i(bmho,i.2(-B)) {Lemma IL.C.2.101 } 

( ( n(( s ,{l})GBA(i,0)GB) \ \ 


= d2bmb 


A 


/ ((s, ac' U {_!_}) E B ] ac C ac') \ 


V 


A 


V (s,{T})^BA(s,d})^B 




\- 


\ ((s, ac') E B j ac C ac') A (s, {_!_}) ^ 5 A (s, 0) ^ 5 / 

{Definition of d2bmb} 
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s : State, ss : P State± 

( ( ( -.((*,{!}) GflA (*,0)6 5) 


= < 


\ 


A 


ac' U {_!_}) e 5 ; ac C ac ') \ 


A 


\ 


V (s,{P})^5A(s,0)^5 J 


V((«. ac') G 5 ; ac C ac') A (s, {P}) ^ 5 A (s,0) ^ 5 / 




ss/ac' 


V a p i 


ss 


V 


/n(( J ,{P})G5A(s,0)6B) 


A 


/((*. ac' U {P}) 6 5 ; ac C ac') \ 


A 


V (s,{P})^A(s,0)^ ) 


ss \ {P}/ac' 


y A P G 


ss 


J 

{Subtitution} 


s : State, ss : P States 

t t ( .((s,{P})GBA(s,0)G5) 


= < 


\ 


A 


l ((»> ac' U {P}) G B ; ac C ss) \ 


V 


A 


V (s,{P})^A(s,0)^ J 


/ 


V((*. ac') G B ; ac C ss) A (s, {P}) ^ B A (s,0) ^ B / 

y a p ss 


V 

/ 


/n((s,(P})GBA(s,0)GB) 


\ 


A 


/ ((s, ac' U {P}) G B ; ac C (ss \ {P})) \ 


A 


V 

A P G ss 


V (s, {P}) ^ B A (s,0) ^ B 


\ 


J 

{Predicate claculus} 
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s : State, ss : P State± 

\( //-((»,{±})6BA(»,0)6B) 


((s, ad U {_!_}) G B ; ac C ss) 


[s,{±})?BA(s,0)<£B 


\ ((s, ad) E B ; ac C ss) A (s, {_L}) ^5A(s,0)^5 
A _L ^ ss 


( ( ((s,{±})eBA(s,<D)eB) 

V 

/ ((s, ad U {_L}) G 5 ; oc C (ss \ {_L})) 
A 

V V (s, {-L}) ^ B A M) ^ B 
y A 1 G ss 

s : State, ss : P State± 

I ((s, {_!_}) G 5 A (s, 0) G B A 1 <£ ss) 


{Predicate calculus} 


(((s, ad U { _L}) G 5 ; ac C ss) A (s, {_L}) ^ A (s, 0) ^ 5 A _L ^ ss) 

V 

(((s, ad) E B ] ac C ss) A (s, {_L}) ^ 5 A (s, 0) ^ B A 1 ^ ss) 

V 

((s, {_L}) GBA(s,0)GBAlGss) 

V 

(((s, ad U {_L}) G B ; ac C (ss \ {_L})) A (s, {_L}) ^ B A (s,0) ^ B A 1 G ss) 

{Predicate calculus} 

s : State, ss : P State± 

((s, {-L}) GBA(s,0)G B) 

V 

(((s, ad U {_!_}) G B ; ac C ss) A (s, {_L}) ^ B A (s, 0) ^ B A 1 ^ ss) 

V 

(((s, ac') E B ] ac C ss) A (s, {_L}) ^ B A (s, 0) ^ B A 1 ^ ss) 


(((s, ac' U {_L}) G B ; ac C (ss \ {-L})) A (s, {-L}) ^ B A (s, 0) ^ B A 1 G ss) 

{Type: _L ^ ac} 
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= 


= 


= 


s : State, ss : P State± 

((s,{±})eBA(s,(b)eB) 

V 

(((s, ac! U {_L}) 6 5 ; ac C ss) A (s, {_l_}) ^ B A (s, 0) ^ B A 1 ^ ss) 

V 

(((s, ac') E B ] ac C ss) A (s, {-L}) ^ B A (s, 0) ^ 5 A _L ^ ss) 

V 

(((s, ac' U {P}) 6 5 ; ac C ss) A (s, {P}) ^ B A (s,0) ^ B A P 6 ss) 

{Predicate calculus} 

f s : State, ss : P State± 

((s,{P})6BA(s,0)eB) 

V 

(((s, ac' U {P}) G B ; ac C ss) A (s, {P}) ^ B A (s, 0) ^ B) 

V 

(((s, ac') e B ; ac C ss) A (s, {P}) ^ B A (s,0) ^ B A P ^ ss) 

{Predicate calculus} 

\. 

s : State, ss : P State± 

((s,{P})6BA(s,0)eB) 

V 

/ (p {P}) ^ B A (s, 0) ^ B \ 

A 

( ((s, ac' U {P}) £ B ; ac C ss) ^ 

V 

\ (((s, ac') G B ; ac C ss) A P ^ ss) / 


V 

= bmho, 1, 2 (B) 
= B 


{Lemma IL.B.2.101 } 


/ 

{Assumption: B is BMH0-BMH2-healthy} 


□ 


Theorem T.4.3.4 Provided P is an A-healthy design, 
bmb2d o d2bmb(P) = P 


Proof. 

bmb2d o d2bmb(P) {Assumption: P is A-healthy} 

= bmb2d o d2bmb(A(P)) {Definition of bmb2d} 
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= ok 


= ok 


= ok 


/ ((s, ac ') G d2bmb(A(P )) A _L ^ ac' A ok') ^ 
V 

\ ((s, ac' U {P}) G d2bmb{A{P )) A _L ^ ac') / 


/ 

/ 

/ 

5 


(s, ac') G < 




< 


( A P ^ ac' 

A 0 


{Definition of d2bmb( y A(P )) Lemma L.C.2.1} 

‘ \ \ 

3 ac 0 : P State • 

( Pf[ac 0 /ac'] ^ 

V 

\ (P'[aco/ac'] A P ^ ss A ss 7 ^ 0) / 

A ac 0 C ss 

^ ' 7 


V 


(s, ac' U {-L}) G < 


s : State, ss : P State± 

3 ac 0 : P State • 

( P^[aco/ac'] ^ 

V 

^ (P l [ac 0 /ac'} A P ^ ss A ss 7 ^ 0) / 
A aco C ss 


\ A L ^ ac' 






( 3 aco : P State • \ 

( pf[aco/ac'] ^ 

V 

^ (P 4 [aco/ac'] A P ^ ac' A ac' 7 - 0) / 

\ A aco C ac' A 1 ^ ac' A ok' ) 


{Property of sets} 

\ 


V 




\ 


( 3 ac 0 : P State • 

( P^[aco/ac'] 

V 

y (P'[ac 0 /ac'] A P (ac' U {P}) A (ac' U {_L}) 7 ^ 0) / 

\ A aco C (ac' U {P}) A P ^ ac' 

{Property of sets and predicate calculus} 


7 


7 
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= ok 


= ok 


= ok 


= ok 


= ok 


^ (3 ac 0 : P State • P^[ac 0 /ac'] A ac 0 C ac' A 1 ^ ac' A o/j') ^ 

3 aco : P State • 

P 4 [ac 0 /ac'] A ac 0 C ac' A _L ^ ac' A ac' ^ I A oP 


V 


y (3 aco : P S'iafe • P^[aco/ac'] A aco C (ac' U {_!_}) A _L ^ ac') ^ 

{Type restriction: _L ^ aco and property of sets} 
/ (3 aco : P State • P^[aco/ac'] A aco C ac' A 1 ^ ac' A oP) \ 


V 


V 


3 ac 0 : P State • 

P 4 [ac 0 /ac'] A ac 0 C ac' A 1 ^ ac' A ac' ^ I A oP 


y (3 ac 0 : P State • Pk[ac 0 /ac'} A ac 0 C ac' A 1 ^ ac') y 


3 aco : P State • 

P 4 [ac 0 /ac'] A ac 0 C ac' A 1 ^ ac' A ac' ^ I A o/c' 


{Predicate calculus} 
\ 


/ 


y (3 aco : P State • Pk[aco/ac') A aco C ac' A 1 ^ ac') 

{Type restriction: T ^ ac'} 

/ (3 aco : P State • P 4 [aco/ac'] A aco C ac' A ac' ^ 0 A oP) \ 


y 


y (3 ac 0 : P State • P^[ac 0 /ac'] A ac 0 C ac') 

{Definition of sequential composition} 

( ((P 4 ; ac C ac') A ac' / I A oP) ^ 

V {Predicate calculus} 

\ (pf ; ac C ac') / 

= (oA; A -i (pf ; ac C ac')) =>- ((P 4 ; ac C ac') A ac' / I A oP) 

{Definition of design} 

= (-i (pf ; ac C ac') P (P 4 ; ac C ac') A ac' p 0) {Definition of PBMH} 

= (-. PBMH(P / ) h PBMH (P 4 ) A ac' p 0) {Definition of A} 

= A(P) {Assumption: P is A-healthy} 

= P 


□ 
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C.3 Refinement and Extreme Points 

Theorem T.4.4.1 A(_Lp) = _L x> 

Proof. 

A(J_d) {Definition of 

= A (true) {Property of designs} 

= A (false h true ) {Definition of A} 

= (-. PBMH(irae) h PBMH(irae) A ac' ± 0) 

{Definition of PBMH and sequential composition} 

/ 3 aco, oko • true[aco, oko/ac', ok'} A aco C ac' \ 

= h 

\ 3 aco, oko • true[aco, oko/ac', ok'} A aco C ac' A ac' ^ 0 / 

{Property of substitution and propositional calculus} 
= ( false h ac 1 ^ 0) {Definition of design and propositional calculus} 

= J-x> 


□ 


Theorem T.4.4.2 A(Tx>) = Tp 
Proof. 


A(Td) 

= A(-< ok) 

= A (true h false ) 

= (-. PBMH(/ake) P PBMH(Jafce) A ac' ± 0) 

/ 3 aco, o/cq • /a/se[aco, o&o/ac', ofc'] A aco C ac' 


{Definition of Tx>} 
{Property of designs} 
{Definition of A} 
{Definition of PBMH} 

\ 


= r 

\ (3 ac 0 , oko • false[ac 0 , oko/ ac', ok'} A ac 0 C ac') A ac' 7 ^ 0 ) 

{Property of substitution and propositional calculus} 

= (true h false ) {Property of designs and propositional calculus} 

= T C 


□ 
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Theorem T.4.4.3 Provided Bq and B\ are BMH0-BMH2 -healthy, 
bmb2d(B 0 ) O v bmb2d(B 1 ) Ay Bq E BM± B\ 


Proof. 


{Definition of bmb2d} 
{Refinement of designs} 

{Predicate calculus} 


bmb2d(B 0 ) bmb2d(Bi) 

( ((s, ac! U {_L}) ^ B 0 b (s, ac') G B 0 ) ^ 

= Qv 

\ ((s, ac' U {_L}) ^ Bi b (s, ac') G Bf) J 

((s, ac' U {_!_}) Bq A (s, ac') G Bfj =y (s, ac') G Bq 
A 

(s, ac' U {_L}) ^ Bq ^ (s, ac' U {_L}) ^ Bi 

(s , ac' U {_L}) B 0 =y ( s , ac') G B 0 \ 

V 

(s, ac') G B\ (s, ac') G 5o 
A 

(s, ac' U {_L}) ^ Bq ^ (s, ac' U {_L}) Bi \ 

{Assumption: Bq is BMHl-healthy} 

/ / (s, ac' U {_L}) ^ Bq =>■ (s, ac') G B 0 \ \ 


J 


A 


( 5 , ad U {_L}) G == t > ( 5 , etc/) G Bq J 


V 


V( 5, ad') G jBi = t > ( 5 , ad) G -Sq 


j 


A 


{Predicate calculus} 


(s, ac' U {_L}) £ Bq (s, ac' U {_L}) ^ Bi 

( ((s, ac' U {_L}) ^ Bq\I (s, ac' U {_L}) G 5 0 ) =>• (s, ac') G 5 0 \ 
V 

\ (s, ac') G Bi (s, ac') G Bq 


A 

( 5 , ac' U {_L}) ^ Bq =y (s, ac' U {_L}) ^ ifi 

(s, ac') G Bq V ((s, ac') G B± =y (s, ac') G 5o) 
A 

(s, ac' U {_!_}) ^ Bq ^ (s, ac' U {_!_}) ^ ifi 


/ 

{Predicate calculus} 
{Predicate calculus} 
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(s, ac') £ B i =>■ (s, ac ') £ B 0 
= A 

(s, ac' U { _L}) 6 5i 4- (s, ac' U { _L}) £ B 0 
= B\ C B 0 
= -Bq E bm± B\ 


{Lemma IL.C.3.21} 
{Definition of E BM± } 


□ 


Theorem T.C.3.1 Provided that P is an angelic design, _Lx> ac P O v Tx> a c 

Proof. Follows from A monotonic, the definition of Tv ac , _l_£> ac and the implication 
ordering. j§§ 


Lemma L.C.3.1 [(3 ac' • P f ) = P f ] [(3 ac' • pf) = Pf 

Proof. 


[(3 ac' »^pf) = ^ Pf) 

( (V ok, ok', ac', s • (3 ac' • pf) =>■ P-f) \ 




A 


\ (V ok, ok', ac', s • -> pf =>- (3 ac' • -> P f )) ) 

V ok, ok', ac', s • (3 ac' • P f ) =£■ -> P ! 

V ok, s • (3 ac • -i pf) =>■ (V ac' • -< P^) 

•tv- V ofc, s • -i (V ac' • -i P^) =>- -i (3 ac' • -> pf) 

V ok, s • (3 ac • pf) =>• (V ac • P f ) 

-tv- V ok, s, ac', ok' • (3 ac’ • P f ) => pf 

( V ok, s, ac 1 , ok' • (3 ac' • P-f) => P? \ 


< 3 - 


A 


\ V ok, s, ac', ok' • P? =>- (3 ac' • P-^) / 
= [(3 ac' • P f ) = P f ] 


{Universal quantification} 

{Predicate calculus} 

{Predicate calculus} 
{Predicate calculus} 
{Predicate calculus} 
{Predicate calculus} 
{Predicate calculus} 

{Universal quantification} 


□ 


Lemma L.C.3.2 Provided P 0 and Bi are of type BMj_, 

(s, ac') £ Bi => ( s, ac') £ B 0 
A 

( s, ac' U {_!_}) £ B\ =>• (s, ac' U {_!_}) £ B 0 


AA B\ C Bq 
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Proof. 


B\ C B 0 {Definition of subset inclusion} 

-v=> V s : State, ss : P State± • (s , ss ) 6 5i 4- (s, ss) G B 0 {Predicate calculus} 

V s : State, ss : P State± • 

{(s, ss) G B\ =£■ (s, ss) G -So) B (_L G ss V _L ^ ss) 

/ ( Vs: State, ss : P State± • ^ \ 

L G ss ((s, ss) G B± (s, ss) G So) 




{Predicate calculus} 




A 

/ V s : State, ss : P State± • 

\ y _L ^ ss => ((s, ss) G Si =>- (s, ss) G S 0 ) ^ / 

/ ( V s : State, ss : P State j_ • \ \ 

(3 t : State, ss : P State • t — ss \ {J_} A J_ G ss) 


{Predicate calculus} 




\ ((s, ss) G Si => (s, ss) G So) 

A 

/ V s : State, ss : P State± • 

\ l _L ^ ss =>- ((s, ss) G Si => (s, ss) G S 0 ) 


7 


7 


{Lemma IL. 11.5.21 } 


/ Vs: State, ss : P State± • \ \ 

(3 t : State, ss : P State • 1 ^ t A £ U {J_} = ss) 




y (( s ) ss ) G Si =>■ (s, ss) G S 0 ) 

A 

/ V s : State, ss : P State± • 

\ y _L ^ ss =>• ((s, ss) G Si (s, ss) G S 0 ) 

/ Vs: State, ss : P States • \ \ 

(3 t : State, ss : P State • t U {J_} = ss) 


7 


{Type: _L £ f} 




y (( s ) ss ) G Bi =>■ (s, ss) G S 0 ) 


7 


A 


V s : State, ss : P State± • 

\ \ _L ^ ss =>- ((s, ss) G Bx => (s, ss) G S 0 ) / / 


{Predicate calculus} 
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«=>• 


«=>• 


/ Vs: State, ss : P State±, t : P State • \ \ 

(t U {_L} = ss) 

=> 

((s, ss) G B\ =>- ( s, ss) G Bo) J 

A 

/ V s : State, ss : P State± • 

V \ -L ^ ss =>■ ((s, ss) G Bi =>- (s, ss) G i?o) / 

{Predicate calculus: one-point rule} 

( ( V s : State, t : P State • \ \ 

\ (( s , t U {P}) G 5i (s,i U {-L}) G -8 0 ) 

A 

/ V s : State, ss : P State • 

V \ (( s > ss ) ^ -Si (s, ss) G 5 0 ) 


/ 


{Variable renaming and predicate calculus} 
/ ((s, ac! U {P}) G Bi =>• (s, ac! U {P}) G B 0 ) \ 


<S>Vs : State, ac' : P State 


A 


J 


\ ((s, ac') G 5i (s, ac') G 5 0 ) 

{Universal quantification} 




((s, ac' U {P}) G Bi =>■ (s, ac' U {P}) G B 0 ) 
A 

((s, ac') G B\ (s, ac') G Bo) 


□ 


C.4 Operators 

C.4.1 Sequential Composition 

Theorem T.4.5.1 Provided ok and ok' are not free in P, Q, R and S, and that 
-> P and Q are PBMH -healthy, 

(P h Q) ivac (R\~ S) = (-1 (-i P ; A true) A (Q ; A -> R) h Q ; A (R => S)) 


Proof. 

(p I- Q) w (R I- S) 

= 3 cP’o • (P h Q)[oA<j/oA:'] (i? b <S')[oA<)/oA;] 


{Definition of ; Cac } 
{Definition of design} 
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3 ok 0 • ((ok A P) => (Q A ok'))[oko/ok'] ] A ((ok A R) => (S A ok'))[oko/ok] 

{Substitution and assumption} 

3 ok 0 • ((ok A P) =>■ (Q A oho)) ] A ((ok 0 A R) =$■ (S A ok')) 

{Case-analysis on oko and predicate calculus} 

/ (((ok A P)=>Q) U (R=>(S A ok'))) \ 

V 

\ (-> (ok A P) ] A true) 

( (( * ok V * P V Q) ] A (R =>• (S A ok'))) ^ 

V 

^ ((-i ok V -i P) ] A true) 


{Predicate calculus} 


7 


7 


{Right-distributivity of ] A (Lemma L.F.1.4)} 


( (-. ok ] A (R => (S A ok'))) \ 

V 

(- p; a (R^(s a ok'))) 

v 

(Q] a (R^(SAok'))) 

V 

\ (-i ok ] A true) V (-> P j A true) ) 

( ok V (-. P ] A (R => (S A ok'))) \ 

V 

(Q] a (R^(SAok'))) 

V 

V h p u *™ e ) 7 


{Lemma L.F.1.1 and predicate calculus} 


{Assumption: -> P is PBMH-healthy and Lemma L.F.2.2} 
( — i ok V (Q ] A (R =>- (S' A ok'))) ^ 


V 




7 


{Assumption: Q is PBMH-healthy and Lemma L.F.2.4 } 
/ -> ok V (<5 R) V ((Q \ A (R =>- /S')) A oZd) ^ 

{Predicate calculus} 


V 


V (-■ p u true ) 

( (ok A — i (—i P ] A true) A — < (Q ] A — < R)) ^ 


7 


V (((?U (R=>S))Aok') 




{Definition of design} 
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^ -> (-> P ] A true) A (Q ; A -i R) ^ 

h 

\ Q',a( r= > s ) ) 


□ 

Theorem T.4.5.2 Provided ok and ok' are not free in P, Q, R and S, and that 
-i P and Q are PBMH -healthy, and that ac! is not free in P, 

(P •“ Q) ivac ( R[ ~ S ) = (P A (Q m R ) Q >a ( R =► S )) 


Proof. 


(P h <5) ; C ac (P ^ P) {theorem:seqD:sequential-composition} 

= (“■(-■ P true) a -i (<5 -> P) fi Q ; A {R =>• <5)) 

{Assumption: ac' is not free in P and Lemma L.F.1.1} 


= (-i (-i P) A -i (Q ] A -> P) h Q (P =>• S)) {Predicate calculus} 

= (P A -> (Q \ A -> R) h <5 (R => S)) 


□ 

Theorem T.4.5.3 (^^-A-closure) Provided P and Q are A-healthy and ok, ok' 
are not free in P and Q, 

MP ,w Q) = p ,W Q 


Proof. 


P ' Wac Q {Assumption: P and Q are A-healthy} 

= A(-< pf h P l ) ] Vac A(-< Qj h Q l ) {Definition of A} 

/ (-. PBMH(P^) h PBMH(P) A ac' ± 0) \ 

= ; vac {Definition of ] Vac } 

\ (-- PBMH(^) h PBMH(Q‘) A ac' ± 0) / 

/ (-. PBMH(P7) h PBMH(P) A ac' ± Q)[oko/oV\ \ 

= 3 ok 0 • 

V (-. PBMH(^) h PBMH(g f ) A ac' ± Q))[oko/ok ] 

{Definition of design} 
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= 3 Okn 


l ((ok A - PBMH(F^) =► (PBMH(P 4 ) A ac' ± 0 A ok')[ok 0 /ok'} \ 


iA 


V {{ok A PBMH(^)) =► (PBMH(^) A ac' ± 0 A ok')[oko/ok} 

{Substitution and assumption} 

/ {{ok A PBMH(PO) =► (PBMH(P‘) A ac' ± 0 A ok 0 ) \ 

= 3 oko • \ A 

V {{oko A - PBMH(QO) => (PBMH(^) A ac' ± 0 A ok') 

{Case-analysis on oko and predicate calculus} 
/ / ((oA; A PBMH(P^) =► (PBMH(P 4 ) A ac' ± 0)) \ \ 

5.4 

\ (-. PBMH {<#) =>• (PBMH(^) A ac' ^ 0 A oA/)) / 


V 


/ 


\ (-. {ok A PBMH(p7)) true) 

(Predicate calculus} 

/ / (-. oA; V PBMH(P7) v (PBMH(P) A ac' ^ 0)) \ \ 

j.4 

V (-. PBMHfQO =>• (PBMH(^) Aflc'/0A oA;')) / 

V 

V ((-. ok V PBMH(P7)) t ra e) ) 

(Right-distributivity of ] A (Lemma 
/ (-- ok ) A (-. PBMH(<7) => (PBMH(Q f ) A ac' ^ 0 A oA;'))) 


L.F.1.4)} 


\ 


(PBMH(P7) (-, PBMH(</) => (PBMH(^) A ac' ± 0 A oA;'))) 

V 

/ (PBMH(P) A ac' ^ 0) \ 

iA 

\ (-- PBMH(QA) => (PBMH(^) Aac70A ok')) / 

V 

y (-• ok \ A true) V (PBMH(PA) true) J 

(Lemma L.F.1.1 and predicate calculus} 
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/ -i ok \ 

V 

(PBMH(P / ) ^ (-. PBMH(^) => (PBMH(^) A ac' ± 0 A ok'))) 

V 

/ (PBMH(P f ) A ac ' ± 0) \ 

iA 

\ (-- PBMH(Q^) =► (PBMH(^) A ac' ± 0 A ok')) / 


V 

V (PBMH(P^) true) 

( -i ok 

V 

/ (PBMH(P f ) A ac' ± 0) \ 

\ (-. PBMH(Q^) =► (PBMH(^) Aac70A oA/)) / 

V 

V (PBMH(^) ^ true) 

( -i ok 

V 

((PBMH(P f ) A ac' ^ 0) ] A PBMH(Q / )) 

V 


{Lemma IL.F.2.21} 


\ 




{Lemma IL.F.2.91} 
\ 


/ / (PBMH(F) A ac' ^ 0) 

iA 


V 

V 


\ \ 

A ac' ^ 0 A ok' 


\ (-n PBMH( <57) => PBMH(<5')) ) 
\ (PBMH(^) true) 

l (ok A ^ (PBMH(^) ^ true) 

A 


7 


7 


\ 


\ - ((PBMH(P') A ac' ^ 0) PBMH(QO) 


{Predicate calculus} 

\ 


/ ((PBMH(F) A ac' ^ 0) (-. PBMH(Q7) => PBMH(Q 4 ))) \ 


A 


\ ac' ^ 0 A ok' 


7 7 

(Definition of design} 
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( ( (PBMH (Pf) ] A true ) 




A 


\ ((PBMH(P f ) A ac' ± 0) PBMH(^)) / 


h 


/ ((PBMH(P i ) A ac' ^ 0) (-. PBMH (Qf) => PBMH(^))) \ 

A 

^ ac' 7 ^ 0 

{Definition of AO} 






( 


= AO 


/ (PBMH(P7) • true ) 


\ 


A 


\ 


\ - ((PBMH(P) A ac' ^ 0) ; A PBMH(QO) / 


h 


^ ((PBMH(P i ) A ac' ^ 0) ^ (-. PBMH(^) => PBMH(Q‘))) J y 

{Lemma |L.E.4.4| and Theorems |T.E.3.1 T.E.3.2| and T.F.3.1 [ 
/ / PBMH(PBMH(Pf) ; . true ) \ 


= AO 


A 


\ PBMH((PBMH(P') A ac' ^ 0) ^ PBMH(^)) / 


h 


( 


= AO 


/ (PBMH(Pf) ;, true ) 


PBMH 


\ 


V 


V ((PBMH(P') A ac' ^ 0) ; 4 PBMH(QO) / 


h 


\ 


^ PBMH ((PBMH(P') A ac' + 0) (-. PBMH(Q7) => PBMH(Q 4 ))) J 

{Predicate calculus and Theorem IT. E.3. 21 } 


\ 


^ PBMH ((PBMH(P') A ac' + 0) (-. PBMH(Q7) => PBMH(Q 4 ))) J 

{Definition of A1 and predicate calculus} 

/ / (PBMH(P 0 ; a true) \ 


= AO o A1 


PBMH 


A 


\ 


V ((PBMH(P) A ac' ^ 0) PBMH(</)) 


h 


= AO o A1 


^ ((PBMH(P) A ac' ^ 0) ; A (-. PBMH(Q / ) => PBMH(Q'))) j 

{Theorem IT. 4.5. 11} 

/ (-. PBMH(Pf) h PBMH(P') A ac' ^ 0) \ 

] v {Definition of A} 

\ (-. PBMH(^) h PBMH(Q') A ac' ^ 0) / 
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= A(A(-< pk h P l ) ] Vac A(-< Qf h Q')) {Assumption: P and Q are A-healthy} 
= MP I'Dac Q) 


□ 


Relationship with Extended Binary Multirelations 


Theorem T.4.5.4 Provided P and Q are A-healthy designs. 


bmb2d(d2bmb(P) ; BM± d2bmb(Q )) = P ; Vac Q 


Proof. 


bmb2d(d2bmb(P) ] BM± d2bmb(Q )) {Lemma IL. C.2.1 71 } 

^ ((s, {si : State | (si, ac ') G d2bmb{Q)}) G d2bmb(P ) A _L ^ ad A ok') ^ 

V 

= ok => ((s, {si : State± \ true}) G d2bmb{P) A ± ^ ac') 

V 

\ ((s, {si : State | (si, ac' U {_!_}) G d2bmb(Q)}) G d2bmb(P) A _L ^ ac') / 

{Lemma IL.C.2.161 } 

( ((-i Pk =>- P*)[{s : State \ Qk =>■ Q'^/ac'] A _L ^ ac' A o&') \ 

V 

= ok =>■ ((s, {si : State± \ true}) G d2bmb{P) A _L ^ ac') 

V 

\ ((s, {si : State | (si, ac' U {_!_}) G d2&m&(<5)}) G d2bmb(P) A _L ^ ac') ) 

{Lemma IL.C.2.151 } 

^ ((-i Pk =>• P*)[{s : State \ Qk => Q 4 )}/ac'] A _L ^ ac' A o/c') ^ 

V 

= ok =>• ((s, {sx : State± \ true}) G d2bmb(P) A _L ^ ac') 

V 

\ ((-i Pk =>- P')[{s : State | /ac'] A _L ^ ac') ) 

{Lemma IL.C.2.121 } 
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= ok =>• 


= ok => 


= ok =>• 


= ok =>■ 


= ok => 


= ok =>• 


( ((-i P* P 4 )[{s : State \ (-> Qf =>■ Q^j/ac'} A _L ^ ad A oP) ^ 

V 

(P^jsi : fftafe | frae}/ac'] A _L ^ ac') 

V 

\ ((-i Pf =>■ P 4 )[{s : SWe | /ac'] A _L ^ ac') / 

{Assumption: _!_ ^ ac'} 

( ((-i P^ =>- P 4 )[{s : State | (-1 Qf =>- Q 4 )}/ ac/ ] A °^0 ^ 

V 

(P'[{si : State \ true]/ac']) 

V 

\ ((-> Pi => P 4 )[{s : State \ Qf}/ac'] ) ) 

{Definition of 5 ^} 

/ (((- Pf =► P 4 ) U (- Qf =► Q 4 )) A ok') \ 

V 

(P^ true) 

V 

(A p’ =► -p') u </) / 

{Predicate calculus and Lemma IL.F.1.41 } 


(«p f u (- e 1 => e‘» v (p‘ u qi => q ‘))) a of) \ 

V 

(P^ ;_4 true) 

V 

(P> U </) V (P 1 ^ </) / 

{Predicate calculus} 


((P' U A O’ => <?')) A of) 


\ 


V 


((P 4 (-, O' =► (? 4 )) A oP) 


V 


{Predicate calculus} 


(PI U true) V (P/ U (/) V ( P‘ U </) J 
(i(P f U A O' =*• Q‘)) V (P y U <™e)) A of) \ 

V 

((P 4 U (-, £/ =► Q<)) A oP) 

V 

V (pf ; A true) V (p/ u Q f ) V (p 4 U Q f ) 

{Assumption: P is PBMH-healthy and Lemmas L.E.5.1 and L.F.2.2[ 
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f ((Pf \ A true ) A ok') ^ 

V 


= ok =>• 


((P' - A (-, Qf =► Q*)) A oA/) 


V 

V (Pf - A true) V (P 4 ^ Qf) 


{Predicate calculus: absorption law} 


= ok => 


/ ((P 4 ^ (- Qf => Q')) A oP) \ 
V 


V U true) V (P 4 ;_4 Q f ) ) 


( (ok A -■ (P J ;_4 true) A -< (P 4 Q 7 )) ^ 

V ((P 4 U (-■ £ 7 =► (? 4 )) A ok') ) 


( - (P* u QO A ^ ( P/ U 7 ™e) \ 

b 


{Predicate calculus} 


{Definition of design} 


{Theorem IT. 4.5. 11} 


\ ^ h Q‘ =*• Q‘) / 

= (-i pf b P 4 ) : 0ac (-i Q 7 b Q 4 ) {Assumption: P and Q are A-healthy designs} 

= P iVac Q 


S3 


Skip 

Theorem T.4.5.5 A(E Vac ) = 1I Vac 
Proof. 

{Definition of Ex> ac \ 
{Definition of A} 
{Lemma IL.E.4.21} 
{Lemma IL.E.4.31} 
and predicate calculus} 
{Definition of Evac} 


A(E Vac ) 

= A (true b s G ad) 

= (-. PBMH(n true) b PBMH(s G ad) A ad ± 0) 

= (-. false b PBMH(s G ad) A ad ± 0) 

= (-i false b s G ad A ac 4 7 ^ 0) {Property of sets 

= (true b s G ac') 

Ex>ac 


□ 


Theorem T.4.5.6 Provided P is a design, E Vac ; Vac 


P = P 
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Proof. 


Ex>ac vDac P {Definition of E Vac and design} 

= (true b s G ac') ] Vac (-1 P f b P 4 ) {Theorem IT.4.5.11} 

= (-1 (-1 true ] A true ) A -> (s G ac' ] A pf) b s E ac' ] A (-> P f =>• P 4 )) 

{Predicate calculus} 

= (-1 (false ] A true ) A -> (s E ac' ' :A pf) b s E ac' ] A (-1 Pf =>- P 4 )) 

{Definition of ] A and substitution} 


= (“i false A — 1 (s G ac 7 ^ P^) b s G ac' ] A < P f =>■ P 4 )) 
= (1 (s £ ac 7 P^) b s E ac \ A (—< pf =>- P 4 )) 

= (-. P f b (-. P f => P 4 )) 

= (-. P f b P 4 ) 

= P 


{Predicate calculus} 
{Lemma IL.F.6.21} 
{Predicate calculus} 
{Definition of design} 


Theorem T.4.5.7 Provided P is an A-healthy design, 


P >T>ac ^Vac = ((“> 3 ac' • P f ) b P 4 ) 


m 


Proof. 

P ; Vac H Vac {Definition of design and E Vac } 

= (-. pf b P 4 ) ] Vac ( true b s E ac') {Theorem IT. 4.5.11} 

= (-i (pf ; A true) A -i (P 4 ] A false) b P 4 ] A ( true =>• s G ac')) 

{Predicate calculus} 

= (-i (P f ; A true) A -i (P 4 \ A false) b P 4 ^ s G ac 7 ) 

{Assumption: P is A-healthy} 

( -i (P-f true) A -i ((P 4 A ac 7 7 ^ 0) \ A false) \ 

= b 

^ (P 4 A ac 7 7 ^ 0) ] A ( true => s E ac') 


/ 


{Right-distributivity of ; A (Lemma L.F.1.5)} 

f -1 (Pf \ A true) A -1 ((P 4 \ A false) A (ac 7 7 ^ 0 false)) ^ 
b 

\ (P 4 ;_4 s G ac 7 ) A (ac 7 7 - 0 s G ac 7 ) 

{Definition of and substitution} 


/ 
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/ -> (P f ‘, A true ) A -n ((P 4 ; A false ) A 0 ^ 0) N \ 
b 


\ (P 4 ;_4 s G ac ') A (ac 7 / I ^ s 6 ac 7 ) / 

{Property of sets and predicate calculus} 

= (-■ (P* ] A true ) b (P 4 ] A s e ac) A (ac 7 7 ^ 0 j A s E ac)) 

{s G ac' is right-unit of ] A (Lemma L.F.6.3)} 

= (-1 (pf ] A true) b P t A ac' 7 ^ 0) {Lemma IL.F.4.21 } 

= (-1 3 ac • P f b P 4 A ac' 7 ^ 0) {Assumption: P is A-healthy} 

= (-n 3 ac 7 • P f b P 4 ) 


□ 

Theorem T.4.5.8 Provided P is an A-healthy design, it is H3-healthy if, and 
only if, its precondition does not mention ac', 

( P (Vac ff'Dac) = P ^ ((3 ad • “i P f ) = “> P f ) 


Proof. 


(P iVac P-Vac 


= P {Assumption: P is A-healthy} 

44 (P ; Vac 1Tv) = (-P J bP 4 A ac’ ^ 0) {Theorem [T4.5.7I} 

44 (-i 3 ac • pf b P 4 A ac' 7 ^ 0) = (-1 P f b P 4 A ac' 7 ^ 0) {Equality of designs} 
<4- [(-i 3 ac' • pf) = -i P^] {Predicate calculus} 

44 [(3 ac' • P') = Pf] 

44 [(3 ac 7 • pf) = P7] 


{Predicate calculus (Lemma L.C.3.1)} 


□ 


Properties with respect to the Extreme Points 
Theorem T.4.5.9 Tv ; Vac P = Tv 

Proof. 

Tv (vac P {Definition of T v } 

= true I vac p {Definition of ] Vac } 

= 3 oko • true[oko / ok'] ] A P[oko/ok] 

{Case-split on oko and property of substitution} 
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= (true \ A P[true/ok]) V (true , A P[false/ok]) {Definition of ] A } 

= true V true {Propositional calculus and definition of J_x>} 

= J-x> 


□ 


Theorem T.4.5.10 T v ; Vac P = T v 

Proof. 

T v Wac p {Definition of T v } 

= (-■ ok ) Wac p {Definition of ] Vac } 

= 3 ok 0 • (-1 ok)[oko/ok'] ] A P[oko/ok] {Substitution and case-split on ok 0 } 

= (-i ok ] A P[true/ok]) V (-> ok ] A P[false/ok]) 

{Definition of ] A and substitution} 
= -i ok {Definition of Tv} 

= T V 


□ 

Properties with respect to A2 

Theorem T.C.4.1 Provided P and Q are A2 -healthy, A2 (P ; Vac Q) = P ; Vac Q 
Proof. 

P ] Vac Q {Assumption: P and Q are A2-healthy} 

= A2 (P) ] Vac A2 (Q) {Definition of ; Cac } 

= 3 oko • A2(P)[oko/ok'] ] A A2 (Q)[oko/ok] {Lemmas IL.C. 1.221 and [DC. 1.231} 

= 3 ok 0 • A2 (P[oko/ok']) ] A A2(Q[oko/ok]) {Lemma IL .C. 1. 281 } 

= 3 ok 0 • A2(A2 (P[ok 0 /ok']) ; A A2(Q[ok 0 /ok])) {Lemma IL.C. 1.241 } 

= A2(3 oko • A2(P[oko/ok']) \ A A2(Q[ok 0 /ok])) 

{Lemmas IL.C.1.221 and IL.C. 1.231 } 
= A2(3 oko • A2(P)[oko/ok'] \ A A2(Q)[ok 0 /ok]) {Definition of ; Vac } 

= A2(A2(P) \ Vac A2(Q)) {Assumption: P and Q are A2-healthy} 

= A2(P ; Vac Q) 


□ 
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Other Properties 

Lemma L.C.4.1 Provided P is PBMH -healthy and ok' is not free in P. 
P ,'vac P A ( 3 ° k * Q) 


Proof. 


P wac Q {Definition of ] Vac } 

= 3 oho • P[oko/ok '] ] A Q[oko/ok] (Assumption: ok' is not free in P} 

= 3 oko • P ] A Q[oko/ok] {Assumption: P is PBMH-healthy} 

= 3 oko • PBMH(P) : A Q[oko/ok] {Definition of PBMH (Lemma L.4.2.1)} 

= 3 oko • (3 aco • P[aco/ ad '] A aco C ac') ] A Q[ok 0 / ok] 

{Definition of ] A and substitution} 

= 3 oko • 3 aco • P[aco/ac'] A aco C {s | Q[oko/ok]} {Predicate calculus} 

= 3 ac 0 • P[ac 0 /ac'] A 3 ok 0 • ac 0 C {s | Q[ok 0 /ok]} {Property of sets} 

= 3 ac 0 • P[ac 0 /ac'] A 3 ok 0 • (V z • z G ac 0 =>• z G {s | Q[oko/ok ]}) 

{Predicate calculus} 

=>■ 3 ac 0 • P[ac 0 /ac'] A \/z • 3 o/^ »(z 6 ac 0 =^- z G {s | Q[oko/ok]}) 

{Predicate calculus} 

= 3 ac 0 • P[ac 0 /ac'] A Wz • z £ ac 0 =>• (3 o&q • £ G {s | <5[oA:o/ 0 ^]}) 

{Property of sets} 

= 3 ac 0 • P[ac 0 /ac'] A W z • z £ ac 0 =>■ (3 o&o • <3[oAb/ofc] [^/s]) {Substitution} 

= 3 ac 0 • P[ac 0 /ac'] A ac 0 =>■ ((3 o/zo • <3[oAo/oA;])[,z/ s]) 

{Property of sets} 

= 3 ac 0 • P[ac 0 /ac'] A Vz» z 6 ac 0 => z G {s | 3 oko • <?[oAo/oA:]} 

{Property of sets} 

= 3 ac 0 • P[ac 0 /ac'] A ac 0 C {s | 3 oko • Q[ok 0 /ok]} 

{Definition of ] A and substitution} 

= (3 ac 0 • P[aco/ac’] A ac 0 C ac') (3 oko • <2[oAo/ oA:]) 


{Definition of PBMH (Lemma L.4.2.1)} 
= PBMH(P) \ A (3 oko * Q[oko/ok]) {Assumption: P is PBMH-healthy} 

= P ; A (3 oko • Q[oko/ok]) {Predicate calculus} 

= p d 4 (3 ok • Q) 
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□ 


C.4.2 Demonic Choice 
Properties 


Theorem T.4.5.11 Provided P and Q are designs, 


A(P V Q) = A(P) V A(Q) 


Proof. 


A(P V Q) 

= A((-< P f h P 4 ) V (-. Q f h Q 1 )) 
= A(-< P f A ^ Q f \- P^ Q 4 ) 


{Definition of design} 
{Disjunction of designs} 
{Predicate calculus} 


= A(-> (pf V Qf) h F 1 V Q 4 ) {Definition of A} 

= (-. PBMH(P / V Q f ) h PBMH(P 4 V Q 4 ) A ac' ± 0) 


{Distributivity of PBMH w.r.t. disjunction Theorem T.E.2.2 } 


/ (PBMH(Ff) V PBMH( (^)) \ 

h 

\ (PBMH(P) V PBMH(Q 4 )) A ac' ± 0 / 

/ -i PBMH(Pf) A-i PBMH(Qf) \ 

b 

\ (PBMH(P) A ac' ± 0) V (PBMH(^) A ac' ± 0) / 


{Predicate calculus} 


{Disjunction of designs} 


/ (-. PBMH(Pf) h PBMH(P) A ac' ^ 0) \ 
= V 

V (-. PBMH (Qf) h PBMH(Q 4 ) A ac' ± 0) / 
= A(-i P f h P 4 ) V A(-< Qf h Q 4 ) 


{Definition of A} 


□ 


Theorem T.4.5.12 Provided P and Q are A-healthy designs, 


A(P n Vac Q) = p n Vac Q 
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Proof. 

A(p n Vac Q) 

= A(P) V A(Q) 
= P E Vac Q 


{Definition of nx> ac and Theorem |T.4.5.1l|| 
(Assumption: P and Q are A-healthy} 

□ 


Relationship with Extended Binary Multirelations 

Theorem T.4.5.13 bmb2p(B 0 fl bm ± Bi) = bmb2p(B 0 ) n vac bmb2p(Bi) 


Proof. 


bmb2p(B 0 n B m ± Bi) 


= bmb2p(B 0 U Bf) 

/ ((s, ac ') G (B 0 U Bi ) A _L ^ ad A ok') \ 


= ok =>• 


V 

\ ((s, ac' U {T}) G (B 0 U Bi) A _L ^ ac') ) 

( (((s, ac') G Bq V (s, ac') G Bf) A _L ^ ac' A ofc') 


{Definition of n^Mx} 
{Definition of bmb2p} 

{Property of sets} 

\ 


= ok => 


V 

^ ((((s, ac' U {_!_}) G B 0 ) V (s, ac' U {_!_}) G Bf) A _L ^ ac') ) 


{Propositional calculus} 


( 

I 

^ ((s, ac') G A 1 ^ ac') ^ 

\ 

\ 



V 

A ok' 



l 1 

^ ((s, ac') G Bi A _L ^ ac') ) 

) 



V 

((s, ac' U {T}) G Bq A _L ^ ac') 

V 

\ ((s, ac' U {T}) G Bi A _L ^ ac') / 


ok => 


{Propositional calculus} 
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/ 


/ ok 
A 

-■ ((s, ad U {_L}) G B 0 A _L ^ ad) 

A 

\ -i ((s, ad U {_L}) 6 Bi A 1 ^ ad) ) 
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\ \ 



( 

( 

((*, 

ac r 

) b B 0 

A _L ^ 

ac') 

\ 

\ 




V 






A ok' 

V 

V 

V 

((*, 

ac r 

) e B 1 

A ± ^ 

ac') 


) 

/ 

( 

—1 

((*, 

ad 

U {_L}) G B 0 

A _L 

* 

■ ad) ^ 



A 









V 

—1 

((*, 

ad 

U {-L}) G B 1 

A _L 

* 

: ac') / 


b 

((s, ad) G B 0 A 1 ^ ac') ^ 
V 

\ \ ((s, ad) G 5i A 1 ^ ad) ) 


) 


{Property of designs} 


{Disjunction of designs and definition of nx> ac } 
/ (-i ((s, ad U {_L}) G B 0 A _L ^ ac') b (s, ad) G A 1 ^ ad) ^ 

— nx)ac 

\ (-■ ((s, ad U {_!_}) G 5i A 1 ^ ad) b (s, ad) G 5i A 1 ^ ad) ) 

{Definition of bmb2p} 

= bmb2p(B 0 ) nx> ac bmb2p{Bi) 


□ 


Other Properties 

Theorem T.4.5.14 P n© ac Lx> = L-v 
Proof. 

P n x>ac J-D 
= P V true 
= J-D 

□ 


{Definition of n v ac and _l_x>} 
{Propositional calculus and definition of _!_£,} 


Theorem T.4.5.15 (P H Vac Q) ; Vac R = (P ; Vac R) G Vac (Q ; Vac R) 
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Proof. 


( P Wac R ) n Vac (Q ] Vac R ) {Definition of ] Vac and n Vac } 

= (3 ok 0 • P[oko/ok'] ', A R[oko/ok'}) V (3 oko • Q[oko/ok'] ] A R[oko/ok]) 

{Propositional calculus} 


= 3 ok 0 • (P[oko/ok'] ] A R[oko/ok'}) V (Q[ok 0 /ok'] ', A R[ok 0 /ok]) 

{Right-distributivity of (Lemma L.F.1.4)} 

= 3 ok 0 • ((P[ok®/ok'] V Q[ok 0 /ok']) ] A R[ok 0 /ok]) {Definition of ] A and A' Dac \ 

~ (P n x>ac Q) 5 Vac R 


□ 


Other Properties 

Lemma L.C.4.2 Provided P => R, P j Vac Q ^ R ; Vac Q. 

Proof. 

P ; Vac Q {Definition of ] Vac } 

= 3 ok 0 • P[oko/ok'] \ A Q[oko/ok] {Assumption: P => i?} 

= 3 oko • (P A R)[oko/ok'] ] A Q[ok 0 /ok] {Substitution} 

= 3 oko • (P[oko/ok'] A R[okof ok']) ; A Q[oko/ok] {Lemma IL.F. 1.51} 

= 3 oko • (P[oko/ok'] ] A Q[oko/ok]) A (R[oko/ok'] j A Q[oko/ok]) 

{Predicate calculus} 

=> 3 oko • (R[oko/ok'] ] A Q[oko/ok]) {Definition of ', Vac } 

~ R )Vac Q 

Q 


Lemma L.C.4.3 Provided Q =>■ R, P ; Vac Q P ; Vac R. 

Proof. 

P ; Vac Q {Definition of ] Vac } 

= 3 oko • P[oko/ok'] ] A Q[oko/ok] {Assumption: Q ^ R} 

= 3 oko • P[oko/ok'] ] A (Q A R)[oko/ok] {Substitution} 

= 3 oko • P[oko/ok'] j A [Q[oko/ok] A R[oko/ok]) 

{Predicate calculus and Lemma IL.F. 1.61} 
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=>■ (3 oko • P[oko/ok'] ] A Q[ok 0 /ok ]) A (3 oko • P[ok 0 /ok'] \ A R[oko/ ok]) 

{Predicate calculus} 

=>■ (3 oko • P[oko/ok!] ] A R[ok 0 /ok]) (Definition of ] Dac } 

= P YDac P 


□ 


Lemma L.C.4.4 Provided ok' is not free in P and ok is not free in Q, 
P rVac Q = P >A Q 


Proof. 

P Wac Q 

= 3 oko • P[oko/ok'] \ A Q[oko/ok] 
= 3 oko • P ] A Q[ok)/ok] 

= 3 oko • P ', A Q 
= 3 ok 0 • P[{ s I Q}/ ac '] 

= P[{s | Q}/ac'] 

= P\aQ 


(Definition of ] Vac } 
(Assumption: ok' is not free in P} 
(Assumption: ok is not free in Q } 
(Definition of 
{Predicate calculus} 
(Definition of 5^} 


□ 


C.4.3 Angelic Choice 

Closure 

Theorem T.4.5.16 Provided P and Q are A-healthy, 


A(P 13 x>ac Q) — P U T>ac Q 

Proof. 

(Assumption: P and Q are A-healthy} 
(Definition of U x>ac and A} 
(Theorems IT.C.l.ll and IT. 4.2.11} 
(Theorems IT. 4.2. 61 and IT. 4.2. 81} 


P U T>ac Q 

= A (P) U Vac A(Q) 

= AO o A1(P) A AO o A1(Q) 

= AO(AO o A1(P) A AO o Al(g)) 
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= A0(A1 o AO o A1(S) AAloAOo A1(Q)) 

{A1 is PBMH and Theorem IT. E.3. 11} 

= AO o A1(A1 o AO o A1(S) AAloAOo A1(Q)) 

(Theorems IT. 4.2. 61 and IT. 4.2. 81} 

= AO o A1(A0 o A1(S) A AO o A1(Q)) (Definition of Ux> ac A} 

= A(A(S) U x> ac A(Q)) (Assumption: P and Q are A-healthy} 

= A (P U x>ac Q ) 

□ 


Relationship with Extended Binary Multirelations 
Theorem T.4.5.17 Provided S 0 and B\ are BMH1 -healthy, 
bmb2p(B 0 U B m ± B x ) = bmb2p(B 0 ) U Vac bmb2p(Bi) 


Proof. 


bmb2p( y B 0 ) Ux> ac bmb2p(Bi) (Definition of bmb2p and Ux> ac } 

((s, ac' U {T}) ^ S 0 V 1 G ac' h (s, ac ') G S 0 A 1 ^ ac ') ^ 

((s, ac 1 U {T}) ^ Bi V _L G ac' h (s, ac') G Bi A 1 ^ ac') / 

(Dehnition of U for designs} 

( ((s, ac' U {T}) ^ B 0 V 1 G ac' V (s, ac' U {_L}) ^ Bi V 1 G ac') ^ 

h 

/ ((s, ac' U (_L}) ^ B 0 V 1 G ac') =>• ((s, ac') G B 0 A 1 ^ ac') \ 


A 




\ ((s, ac' U (_L}) ^ Bi V 1 G ac') =>■ ((s, ac') G Bi A 1 ^ ac') ) 

(Propositional calculus} 

( ((s, ac' U (T}) ^ B 0 V 1 G ac' V (s, ac' U (_L}) ^ Si) ^ 

h 

/ ((s, ac' U {-L}) G S 0 V (s, ac') G S 0 ) \ 


V 


A 


A 1 ^ ac' 


7 


\ ((s, ac' U {-L}) G Si V (s, ac') G Si) / 

(Assumption: S 0 and Si are BMHl-healthy} 
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((s, ac! U {_L}) ^ B 0 V _L G ac! V (s, ad U {_L}) ^ Pi) ^ 

b 

/ (((s, ad U {_!_}) G B 0 A (s, ad) G Po) V (s, ad) G Po) \ 

A A ac' 

\ (((s, ac' U {_L}) G Bi A (s, ac') G Pi) V (s, ac') G Pi) / ) 

{Propositional calculus: absorption law} 

((s, ac' U {_L}) ^ B 0 V 1 G ac' V (s, ac' U {_L}) ^ Pi) \ 


(s, ac') G Bo A (s, ac') G Bi A 1 ^ ac' ) 

{Propositional calculus} 

-i ((s, ac! U {_L}) G B 0 A (s, ac' U {_!_}) G Pi) V 1 G ac' \ 


(s, ac') G B 0 A (s, ac') G Pi A _L ^ ac' 


( (s, ac' U {_L}) ^ (P 0 n Bi) V 1 G ac' 
b 

\ (s, ac') G {B 0 fl Bi) A L ^ ac' 
bmb2p{B 0 fl Pi) 
bmb2p{B 0 U Btfl Pi) 


{Property of sets} 


{Definition of bmb2p} 


{Definition of Ubm ± } 


Properties with respect to the Extreme Points 
Theorem T.4.5.18 Provided P is a design, P U x> ac ~Lv = Tv- 
Proof. 

P LI Vac T v 

= P A -i ok 
= (-. P f b P 4 ) A ok 
= {{ok A -i pf) =>■ {P t A oP)) A ok 
= (-■ ok V P / V (P 4 A oP)) A -■ ok 
= -i ok 
= Tp 

□ 


{Definition of Up ac and Tp} 
{Definition of design} 
{Definition of design} 
{Predicate calculus} 
{Predicate calculus: absorption law} 
{Definition of Tp} 
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C.5 Relationship with Angelic Designs 

C.5.1 d2ac 

Theorem T.4.6.6 A o d2ac(P ) = d2ac(P) 


Proof. 




A o d2ac(P) {Definition of d2ac} 

= A(-< p2ac(P f ) A (-1 pf[s/ina_ ok ] ; true) h p2ac(P t )) {Definition of A} 

= AO o Al(-< p2ac(pf) A (-> P^[sf inot-ok] true ) h p2ac(P t )) 

{Definition of Al} 

/ -i PBMH(-i (-1 p2ac(Pf) A (-> Pf[s/ina- 0 k] ; true))) ^ 

= AO h 

\ PBMH o p2ac(P t ) 

{Predicate calculus} 

( -i PBMH(p2ac(P^) V —> (—< Pf[s/ina_ ok ] ; true)) \ 
h 

^ PBMH o p2ac(P t ) 

{Theorem IT. E.2. 21} 

( -i (PBMH o p2 ac(Pf) V PBMH(-i (-i Pt[s/ina- 0 k\ | true))) \ 
h 

^ PBMH o p2ac(P t ) 


= AO 


/ 


= AO 


/ 


= AO 


{ac' not free in P* and Lemma lL.E.4.51 } 

/ -■ (PBMH o p2ac( K P f ) V —■ (—■ Pf[s/ina_ ok \ ; true)) ^ 
h 

^ PBMH o p2ac(P t ) ) 

(p2ac(Pf) V -i (-i .P^[s/ma_ 0 jfc] ; true)) ^ 


{Lemma IL.4.6.11} 


= AO | h 

p2ac(P t ) 

{Definition of AO and Theorem IT. 4.2. 31} 

^ -i (p2ac(Pf) V -■ (-i Pf[s/ina-ok] ; true)) ^ 
h 

^ p2ac(P t ) A ac' 7 ^ 0 / 


{Lemma L.C.5.9 and predicate calculus} 
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( -> p2ac(P f ) A (-1 Pf[s/ina- 0 k] ; true)) ^ 
= h 

^ p2ac(P t ) J 

= d2ac(P) 


{Definition of d2ac} 


□ 


C.5.2 p2ac 

Properties 

Lemma L.4.6.1 PBMH o p2ac{P) = p2ac(P) 


Proof. 


PBMH o p2ac(P) 

= 3 ac 0 • p2ac(P)[ac 0 /ac'] A ac 0 C ac 
= 3 ac 0 • (3 z • P[s, z '/ina_ 0 k, outa_ 0 k' 


{Definition of PBMH (Lemma |L.4.2. 3} 
{Definition of p2ac} 

] A z G ac')[ac 0 /ac'] A ac 0 C ac' 

{Substitution} 


= 3 ac 0 • (3 z • P[s, z '/ina-ok, cmta_ 0 ^] Az6 ac 0 ) A ac 0 C ac' 

{Property of sets} 

= 3 z • P[ s, z'/ ina_ 0 k, outa_ 0 k'] A z G ac' {Definition of p2ac} 

= p2ac(P) 


□ 


Theorem T.4.6.1 p2ac(P V Q) — p2ac(P) V p2ac(Q) 

Proof. 

p2ac(P V <5) {Definition of p2ac} 

= 3 z • (P V Q)[s,z/ina_ ok , outa_ 0 k>] A undash(z) G ac’ 

{Property of substitution} 

= 3 z • ( P[s,z/ina_ 0 k, outa_ 0 k'] V <2[s, z/ina_ 0 fc, ojjfa.^]) A undash(z) G ac' 

{Predicate calculus} 


= 3z 


/ (P[s, z/ina- 0 ). : outa_ 0 k>] A undash(z) G ac') \ 
V 

\ (<2[s, z/ina^ok, outa-okf] A undash(z) G ac') / 


{Predicate calculus} 
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( (3z» P[ s,z/ ina^ok, outa^ok'} A undash(z) E ac') \ 
= V 

\ (3 z • Q[s,z/ina- 0 k , outa- 0 k'} A undash(z) E ac') ) 
= p2ac(P) V p2ac(Q) 


{Definition of p2ac} 


□ 

Theorem T.4.6.2 p2ac(P A Q) =$■ p2ac(P) A p2ac(Q) 

Proof. 


p2ac(P A Q) {Definition of p2ac } 

= 3 z • (P A <5)[s,z/ma_ 0 A;, nuto-o^] A undash(z) E ac' 

{Property of substitution} 

= 3 z • (P[s,z/ina-ok, outa- 0 k '] A <2[s, z/ma.* nuto-o^]) A undash(z) E ac' 

{Predicate calculus} 


= 3z 


f (P[s,z/ina- 0 k, outa-ok’} A undash(z) E ac') \ 
A 


(Q[s,z/ina- 0 k, outa-ok'] A undash(z) E ac') ) 

( (3z • P[s, z/ 

A 


Una_ 0 k, outa_ 0 k'} A undash(z) E ac') \ 

I A 

\ (3 z • Q[s,z/ina- 0 k, outoi- 0 w] A undash(z) E ac') ) 
= ri2ar( P) A r>2n.c( O) 


{Predicate calculus} 


{Definition of p2ac} 


□ 

Theorem T.4.6.3 A2 o p2ac(P) = p2ac{P) 

Proof. 

A2 o p2ac(P) {Definition of A2} 

= PBMH(p2ac(P) j A {s} = ac') {Definition of p2ac} 

= PBMH((3z • P[s,z/ma_ 0 fc, outa- 0 k'] A undash(z) E ac') ] A {s} = ac) 

{Definition of ] A and substitution} 

= PBMH(3z • P[s, z/ina- 0 k, outa- 0 k>] A undash(z) E {s | {s} = ac'}) 

{Property of sets} 

= PBMH(3 z • P[ s,z/ ina.- 0 k, outa- 0 k>] A {undash(z)} = ac) 

{Definition of PBMH and substitution} 
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= 3 ac 0 • 3 z • P[s, z /ina_ 0 k, outa_ 0 k >] A { undash(z )} = ac 0 A ac 0 C ac' 

{One-point rule} 

= 3 z • P[s, z/ina_ 0 k, outa_ 0 k'] A { undash(z )} C ac' {Property of sets} 

= 3 z • P[s, z/ina^ 0 k, outa_ 0 k>] A undash(z) G ac' {Definition of p2ac} 

= p2ac(P) 


□ 


Theorem T.4.6.4 

ac' ^ 0 A p2ac(-i P f b P 4 ) = ac' 0 A (-> p2ac(P i ) b p2ac{P t )) 


Proof. 


{Definition of design} 
{Predicate calculus} 


acV 0 A p2ac(-> P f b P 4 ) 

= ac' 0 A p2ac{(ok A -> P^) =>• (P 4 A oA;')) 

— ac' ^ 0 A p2ac(-> ok V P f V (P 4 A oA;')) 

{Distributivity of p2ac (Theorem T.4.6.1)} 

= ac' 7 ^ 0 A (p2ac(-i ok) V p2ac(P *) V p2ac(P t A oA;')) 

{Lemmas IL.C.5.51 and IL. 0.5.61} 


= ac' ^ 0 A ((-i ok A ac' 7 ^ 0) V p2ac(P f ) V ( p2ac(P') A oA;')) 

{Predicate calculus} 

= ac' 7 ^ 0 A (-i ok V p2ac(P f ) V ( p2ac(P t ) A oA;')) {Predicate calculus} 

= ac' 7 ^ 0 A ((oA; A -1 p2ac(P f )) => (p2ac(P t ) A oA;')) {Definition of design} 

= ac' 7 ^ 0 A (-i p2ac(P f ) b p2ac(P t )) 


□ 


Theorem T.4.6.5 Provided P is a design, 
ac' ^ 0 A p2ac(P) = ac' ^ 0 A d2ac{P ) 


Proof. 


ac ^ 0 A p2ac(P) 

— ac' 7 ^ 0 A p2ac((ok A -> P-^) =>■ (P 4 A oA:')) 


{Assumption: P is a design} 
{Predicate calculus} 
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ac' ^ 0 A p2ac((ok A -i P f A 3 outa • P f ) =>• (P 4 A oP)) 
ad ^ 0 A p2ac(~^ ok V P f V -i (3 outa • -> P^) V (P 4 A oP)) 


{Predicate calculus} 


{Distributivity of p2ac (Theorem T.4.6.1)} 
/ p2ac(~> ok) V p2ac(P f ) \ 


= ac'^tt A 


V 


= ac 4 7 ^ 


\ p2ac(-< (3 onto • -i P^)) V p2ac(P t A oP) / 

{Lemmas IL.C.5.51 and IL.C.5.61} 

’-i ok A ac 7 7 ^ 0) V p2ac{P i ) ^ 

A | V 

V p2ac(-> (3 onto • -< P f )) V ( p2ac(P t ) A oP) / 


/ (-> ok A ac' t- 0) V p2ac(P f ) 


= ac' 7 ^ 0 A 


{Lemma IL.C.5.71} 


V 


^ ((-i (3 onto • -i P^js/ma] A ac' ^ 0) V ( p2ac(P t ) A oP) / 

{Predicate calculus} 

/ -i ofc V p2ac(P f ) \ 


= ac 7 7 ^ 0 A 


V 


\ (-i (3 outa • * P^))[s/ma]) V (p2ac(P 4 ) A ok') ) 

{Property of substitution} 
/ -n ok V p2ac(P f ) \ 


= ac’ ± 0 A 


V 


\ -i (3 outa • -i P^[s/ma]) V ( p2ac(P t ) A oP) / 

{Predicate calculus} 

ac 7 7 ^ 0 A ((ofc A -■ p2ac(P f ) A 3 outa • -> P^js/ma]) =>• ( p2ac(P t ) A oP)) 

{Definition of design} 

ac 7 ^ 0 A (-i p2ac(pf) A 3 outa • -> P f [s/ ina] b p2ac(P t )) 

{Predicate calculus and definition of sequential composition} 

ac ^ 0 A (-■ p2ac(pf) A (-< P^[s/ ina] ; true) P p2ac(P t )) 

{Definition of d2ac} 

ac 7 ^ 0 A d2ac{P) 


□ 
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Lemmas 

Lemma L.C.5.1 Provided c is a condition. 


p2ac(P < c> Q) = p2ac(P ) < s.c > p2ac(Q) 


Proof. 


p2ac(P < c\> Q) {Definition of p2ac} 

= 3 z • (P < c > Q) [s, z/ ina 0 k , o«to 0 fc'] A undash(z) G ad 

{Substitution: c is a condition} 


= 3 z • (P[s, z/ina 0 k, outa 0 k'] <3 s.c > <5[s, z/ina 0 k, outa Q k ']) A undash(z) G ac' 

{Predicate calculus} 


/ (3 z • P[s, z/ina 0 k, outa Q k>] A undash(z) G ac') \ 
<s.c> 

\ (3 2 • Q[s,z/ina 0 ik, ortto 0 ^] A undash(z) G ac') / 


{Definition of p2ac} 


= p2ac(P) < s.c > p2ac(Q) 


□ 


Lemma L.C.5.2 p2ac(true) = ac'd 0 
Proof. 

p2ac(true) {Definition of p2ac} 

= 3 z • true[s,z/inct-ok, outa.- 0 k'] A undash(z) G ac' {Substitution} 

= 3 2 • true A undash(z) G ac' {Predicate calculus} 

= 3 z • undash(z) G ac' {Property of sets} 

= ad d 0 


□ 


Lemma L.C.5.3 p2ac(false ) = false 
Proof. 

p2ac(false ) 

= 3 z • /a/se[s, z /tno.*, outa_ 0 A/] A undash(z) G ad 
= false 


{Definition of p2ac} 
{Predicate calculus} 
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□ 

Lemma L.C.5.4 3 outa_ 0 k' • P = 3 z • P[z/outa_ 0 k'\ 

Proof. 

3 outa_ 0 k' • P {Introduce fresh state variable z} 

= 3 z, outa • P A z.xq — xo A ... A z.x n = x.n 

{One-point rule for each x, in ortto_ ofc /} 

= 3 z • P[z.xo,..., z.x n /xQ,..., Xr] {Definition of state substitution} 

= 3 z • P[z/ OUtCl- 0 k'\ 


□ 


Lemma L.C.5.5 Provided that no variable in ina- 0 k U outa- 0 k' is free in P, 
p2ac(P A Q) = P A p2ac{Q) 

Proof. 

p2ac(P A Q) {Definition of ac2p} 

= 3 z • (P A Q)[s,z/ina- ok , outa- 0 k>] A undash(z) G ac' 

{Substitution: assumption} 

= 3 z • (P A Q[s,z/ina- ok , outoi- 0 k ']) A undash(z) G ac' {Predicate calculus} 

= P A (3 2 • Q[s,z/ina_ ok , crata_ 0( fc/] A undash(z) G ac') {Definition of ac2p} 

— P A ac2p(Q) 


□ 


Lemma L.C.5.6 Provided that no variable in ina_ 0 k U outa_ 0 y is free in P , 
p2ac(P) = F A ac' / 0 

Proof. 

p2ac(P) {Definition of ac2p} 

= 3 z • F[s,z/ma_* ortto_ 0 ^] A undash(z) G ac' 

{Substitution: variables of outa- 0 k> U ma_„* not free in P} 

= 3 z • P A undash(z) G ac' {Predicate calculus: z not free in P} 
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= P A 3 z • undash(z) G ac' {Property of sets} 

= P A ac' ± 0 


□ 


Lemma L.C.5.7 Provided that no dashed variable in outa_ 0 k is free in P, 
p2ac(P) = P[s/ina] A ac' ^ 0 


Proof. 

p2ac(P) {Definition of p2ac} 

= 3 z • P[s,z/ina_ 0 k, outa_ 0 k'} A undash(z) G ac' 

{Substitution: variables of cmta not free in P} 

= 3 z • P[s/ina_ 0 k] A undash(z) G ac' {Predicate calculus: 2 not free in P} 

= P[s/ina_ 0 k\ A 3 z • undash(z) G ac' {Property of sets} 

= P[s/inat- 0 k\ A ac' 7 ^ 0 


□ 


Lemma L.5.3.1 p2ac o ac2p(P ) = 3 aco, y • P[aco/ac'] A aco C { 1 /} A y G ac' 


Proof. 


p2ac o ac2p(P) {Definition of p2ac} 

= 3 2 • ac2p(P)[s, z/ina_ 0 k, outa_ 0 k'] A undash(z) G ac' 


{Definition of ac2p (Lemma L.C.5.20)} 


/ 

( 3 ac' • P[Statepj (ina_ok)/s] 

\ 

\ 

3 2 • 

A 

\ ac' C {2 | /\x : outa.- 0 k' • dash(z) 

.x = x} / 

[s, zjina_ 0 ki outcx—o^ 

^ A undash(z) G ac' 


{Variable renaming} 

/ 

l 3 ac' • P[5'tatejj(ma)/s] 

> 

\ 

3 2 • 

A 


[s, z/ iiTlOl. — ofo 5 OUtOt— ok'\ 


\ ac' C {?/ | f\ x : outot-ck' • dash(y).x = x} ) 
y A undash(z) G ac' 


/ 

{Substitution} 
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/ 3 ac' • P[Statejj(ina_ 0 k)/s][s/ina_ 0 k] \ 


= 3z 


A 


\ ac' C {y | /\ x : outa.- 0 k' • dash(y).x = z.x} ) 


A undash(z) G ac 7 

{Lemma IL.D.l.llT } 


= 32 * 


3 ac 7 • P 
A 

ac' C {y | /\ x : outa_ 0 k' • dash(y).x 


z.x 


\ 


} J 


A undash(z) G ac 7 


{Equality of records} 

= 3 z • (3 ac 1 • P A ac' C {y | dash(y) = z}) A undash(z) G ac' 

{Property of dash and undash} 

= 3 z • (3 ac' • P A ac' C {y \ y = undash(z )}) A undash(z) G ac' 

{Property of sets} 


= 3 z • (3 ac' • P A ac' C {tmdas/i(z)}) A undash(z) G ad 

{Introduce fresh variable ?/} 

= 3 y, z • (3 ac' • P A ad C {'undas/i(z)}) A undash(z) G ac' A undash(z) = y 

{One-point rule: z not free in P} 

= 3 y • (3 ac' • P A ac' C {?/}) A y £ ac' {Variable renaming} 

= 3 y • (3 ac 0 • -P[ac 0 /ac 7 ] A ac 0 C {?/}) A y G ac' {Predicate calculus} 

= 3 ac 0 , y • P[ac 0 /ac'] A ac 0 C {?/} A y G ac' 


□ 


Lemma L.C.5.8 p2ac(P)° w = p2ac(P°) 


Proof. 

p2ac(P)° w {Substitution abbreviation} 

= p2ac(P)[o, s © {wait i—>• w}/ok’, s] {Definition of p2ac} 

= (3 z • P[s, z 7 /ma, onto] A z G ac 7 )[o, s © {waft i—)■ w}/ ok', s] 

{Substitution: ok' not in outa} 

= (3 z • P[o/oA; 7 ][s, z 7 /ma, cmta] A z G ac 7 )[s © {waft h-)■ w}/s] 

{wait is not w and Lemma IL.D.l.dl} 

= 3 z • P[o, w/ok', wait]] s, z '/ina, outa] A z E ac' 

= 3 z • P°[s, 2 !/ina, outa] A z G ac' 

= p2ac(P°) 


{Substitution abbreviation} 
{Definition of p2ac} 
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□ 


Lemma L.C.5.9 p2ac(P) =>■ ac' 0 


Proof. 
p2ac(P) 

= 3 z • P[s,z/ ina_ 0 k, outa_ 0 k'} A undash(z) G ac' 
=>■ 3 z • undash(z) G ac' 

— ac' 7^ 0 


{Definition of p2ac} 
{Predicate calculus} 
{Predicate calculus} 


□ 


Lemma L.C.5.10 Provided ac' is not free in P nor Q, 

p2ac(P A £?)[{?/} fl ac'/ac'} = (p2ac(P) A p2ac(Q ))[{?/} D ac'/ac'} 


Proof. 


( p2ac{P) A p2ac(<5))[{y} H ac'/ac'} {Definition of p2ac} 

(3 z • P[s, z/ina- 0 k, outa- 0 k>} A undash(z) G ac') \ 

= | A [{«/} fl ac'/ac'] 

(3 z • Q[s,z/ina_ ofc , A undash(z) G ac') / 

{Assumption: ac' is not free in P nor Q and substitution} 

/ (3 z • P[s, z/ina_ 0 k, outa_ 0 k >] A undash(z) G {?/} fl ac') \ 

A 

\ (3 z • Q[s,z/ma_ ofc , crato_ 0 &'] A undash(z) G {?/} fl ac') / 


{Property of sets} 

/ (3 z • P[s, z/ina.- 0 k, outa- 0 k'} A undash(z) G {?/} A undash(z) G ac') \ 

A 

\ (3 z • <5[s, z/ina^ 0 k, outa_ 0 k'} A undash(z) G {?/} A undash(z) G ac') / 

{Property of sets} 

/ (3 z • P[s,z/wq_* cwto-cfc/] A undash(z) = y A undash(z) G ac') \ 

A 

\ (3 z • <5[s, z/ina- 0 k, outa- 0 k'} A undash(z) = y A undash(z) G ac') / 

{Property of das/i and wndasd} 
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/ (3 z • P[s, z/inai- 0 k, outa- ok /] A z — dash(y) A undash(z) E ad) \ 

A 

\ (3 z • Q[s.z/ina- 0 k, outa- ok >} A z = dash(y) A undash(z) E ad) ) 

{One-point rule} 


( P[s,z/ina- okl outa- ok '][dash(y)/z\ \ 

A 

Q[s, z/ina_ ok , outa_ ok ')[dash(y)/z\ 

A 

y undash(dash(y)) E ad ) 

( P[s,z/ina- ok , outa-ok'][t/z\ \ 

A 

= 3 t • Q[ s, z/ ina- ok , outa_ ok >) [t/z 

A 

\ undash(t) G ad A dash(y) — t ) 

( .P[s, zjina-ok, outot-ok'] [t/z\ \ 

A 

= 3 t • Q[ s, z/ ina_ ok , outa_ ok >] [t/z 

A 

\ undash(t) E ad A y — undash(t) ) 

( P[s,t/ina-o k , outa- ok '] \ 

A 

= 3 t • <5[s, t/ ina- ok , outa - ok /] 

A 

\ undash(t) E ad A y = undash(t) ) 

( P[s,t/ina-ok, outa-ok'] \ 

A 

= 3 t • Q [ s 7 t/ ina-ok, outa- ok '} 

A 

\ undash(t) E ad A undash(t) E {y} ) 

/ P[s,t/ina-o k , outa-ok'} \ 

A 

= 3 t • <3[s, t/ ina-ok, outa- ok ,] 

A 

\ undash(t) E ({?/} fl ac') / 


{Introduce fresh variable f} 


{Property of dash and undash} 


{Substitution} 


{Property of sets} 


{Property of sets} 


{Substitution} 
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/ P[s,t/ina- ok , outa- ok '] \ 
A 

= 3 t • Q[s, t/ ina- ok , outa- ok >] 

A 

\ undash[t) G ac' ) 

= p2ac(P A <5)[{y} H ac'/ac'] 


[{ y } D ac' / ac'} 


Lemma L.C.5.11 


p2ac(P)[{undash(Stateji(outa_ 0 k'))} 0 ac'/ac'} 


P[s/inot- 0 k\ A undash(Statejj(outa- 0 k 0) € ac' 


{Definition of p2ac} 


□ 


Proof. 

p2ac(P)l{undash(Stateii(outo>_ 0 k'))} D ac'/ac'] {Definition of p2ac} 

= (3 z • P[s,z/ina- 0 k, outa- ok '] A undash(z) G ac')[{undash(Statejj(outa- 0 k'))} D ac'/ac'} 

{Substitution} 

= 3 z • P[s,z/ina- 0 k, outa- ok i] A undash(z) G {undash(Statejj (outa- ok '))} D ac' 

{Property of sets} 

= 3 z • P[s,z/ina- 0 k, outa- ok i] A undash(z) G {undash{Statejj{outa- 0 k'))} A undash(z) G 

{Property of sets} 

= 3 z • P[s, z/ina- 0 k, outa- 0 k'} A undash(z) = undash(Statejj(outa- 0 k ')) A undash(z) G ac 

{Property of undash} 

= 3 z • F[s,z/ma_(,b cm£a:_ 0 fc/] A z — State jj (outa- 0 w) A undash(z) G ac' 

{One-point rule} 

= P[s, z/ina- 0 k, outa- 0 k'][Statejj(outa- ok ')/z] A undash(Statejj(outa- 0 k /)) G ac' 

{Assumption: z is fresh and Lemma [L.D.l.lO f 

= P[s/ma_ 0 J A undash(Statejj (outa-ok')) G ac' 


□ 


Lemma L.C.5.12 Provided ac' is not free in P, 
p2ac(P)[{y | e} D ac'/ac'] = p2ac(P A e[z/y}) 
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Proof. 

p2ac(P)[{z | e} fl ac' / ac'] {Definition of p2ac] 

— (3z • P[s,z/ina_ 0 k, outa_ ok '] A ac')[{z | e} fl ac' / ac’] 

{Assumption: ac' is not free in P and substitution} 

= 3 z • P[s, z/ina_ ok , outa_ ok '] A z G {y \ e} O ac' {Property of sets} 

= 3 z • P[s, z/ina_ ok , outa_ ok '] A z G {y | e} A z & ac' {Property of sets} 

= 3 z • P[s,z/ina- 0 k, outa- ok '] A e[z/y] A z £ ac' 

{Assumption: (ina_ ok U outa_ ok ') fl ./3(e) = 0} 

= 3z* (PA e[z / y])[s, z / ina- 0 k, outa- ok >} A z G ac' {Definition of p2ac } 

= p2ac(P A e[z/y\) 


□ 


Lemma L.C.5.13 Provided ac' is not free in P nor in Q, 

p2ac(P A Q) — 3 x • ^^(/^[{a^/ac'] A p2ac{Q)[{x}/ac'] A x £ ac' 


Proof. 


= 3 x 


J 


3x • p2ac(P)[{a;}/ac / ] A p2ac(<5)[{a;}/ac / ] A x £ ac' {Definition of p2ac} 

( (3 z • P[s,z/ina- 0 k, outa-ok'} A undash(z) G ac')[{x} / ac'] ^ 

A 

(3 y • <3[s, y/ina_ ok , outa_ ok i] A undash(y) G ac')[{x}/ac'] 

A x G ac' 

{Assumption: ac' not free in P nor Q and substitution} 

( (3 z • P[s,z/ina_ ok , outa_ ok i] A undash(z) G {a;}) ^ 

A 

(3 y • Q[s, y/ inot- 0 k, outa- ok /] A undash(y) G {a:}) 

A x G ac' 

/ 

{Property of sets} 

( (3 z • P[s,z/ina- 0 k : outa- 0 k'] A undash(z) = x) \ 

A 

(3 y • Q[s,y/ina- 0 k, outa.- ok >] A undash(y) = x) 
y A x £ ac' J 

{Property of dash and undash} 


= 3 x 


J 


= 3 x 
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= 3 x 


( (3 z • P[s,z/ma_* outa- ok '] A z— dash(x)) ^ 

A 

(3 y • Q[s,y/ina- ok , outa- ok >} A y = dash(x)) 

A x G ac' 

{Introduce fresh variable t} 

( (3 z • P[s,z/inct-ok, outoi- 0 k') A z = t) \ 


) 


= 3 t,x 


A 


{One-point rule} 


) 


= 3 t,x 


{Property of dash and undash} 


= 3 t,x 


{One-point rule} 


(3 y • <5[s, y/ ina- ok , outa- ok '} A y = t) 

^ A t — dash(x) A x G ac' 

( P[s, z/ina- ok , outa- ok '][t/z\ \ 

A 

Q[s,y/ina-ok, outa- ok >][t/y\ 

\y A t = dash(x) A x G ac' J 

( P[s, z/ina- 0 k, outa- ok ’][t/z\ \ 

A 

Q[s,y/ina- 0 k, outa- ok >][t/y\ 
y A undash(t) = x A x G ac 1 J 

( P[s,z/ina-ok, outa- oV ][t/z\ \ 

A 

<5[s, y/ ina- 0 k, outa- ok '} [t/y\ 
y A undash(t) G ac' 

( P[s,t/ina- ok , outa- ok '} \ 

A 

t jina—ok, outa— 0 k r \ 
y A undash(t) G ac' 

— 3 t • (P A Q)[s,t/moi!_ 0 fc, cmto_oA;'] A undash(t) G ac' {Definition of p2ac} 
= p2ac{P A Q) 


= 3 t 


{Substitution} 


/ 


= 3 t 


{Substitution} 


) 


□ 


Lemma L.C.5.14 Provided that ac' is not free in P, 


( P[s, z/ ina-ok, outa- ok '} 


p2ac(P A Q) = 3 z 


\ 


A 


\ p2ac(Q)[{undash(z)}/ac'] A undash(z) G ac' ) 
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Proof. 


p2ac(P A Q ) {Definition of p2ac} 

= 3 z • (P A Q)[s,z/ma_ ofc , outo_ 0(fc /] A undash(z) G ac' {Substitution} 

/ / P[s,z/roa_„)t, outa- 0 k'] \ \ 


= 3z 


V 


A 


A undash(z) G ac' 


\ Q[s,z/ina- ok , outa- ok '} ) 


= 3 * 


/ P[s, z/ ina_ ok , outa_ ok >] 

A 

V (3 y • Q[s,y/ina- ok , outa - ok >] A z = y) J 


J 

{Introduce fresh variable ?/} 

\ \ 

A undash(z) G ac' 


= 3z 


/ P[s, z/ ina- ok , outct- ok >] 


V 




A 


/ 3y« <5[s,y/ ina^ok, outa_ ok '] \ 


V 


A 


\ undash(z) = undash(y) J 


J 

{Property of undash} 

\ 


A undash(z) G ac' 


= 3z 


( ( P[s,z/ina- ok , outa- 0 k'} 

A 

/ 3 y Q[s,y/ina- ok , outa- ok '\ \ 


\ 


V 


A 


/ 

{Property of sets} 

\ 


A undash(z) G ac' 


/ 


/ 


\ undash(y) G {undas/i(z)} / 

{Assumption: ac' not free in Q and substitution} 

/ / P[s, z/ ina- 0 k, outai- 0 k>] \ 


= 3z 


V 


A 


/ 3 y Q[s } y/ina- ok , outa- ok '\ \ 


V 


A 


[{«ndas/i(z)}/ac' 


J 


A undash(z) G ac' 


) 


\ undash(y) G ac' 

{Definition of p2ac} 

= 3 z • P[s,z/ina- 0 k, outa - ok '] A p2ac((5)[{rmdas/j(,z)}/ac'] A undash(z) G ac' 


□ 


Lemma L.C.5.15 Provided z is not ac', 3 a; • p2ac(P) = p2ac(3x • p2ac(P)). 
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Proof. 

3 x • p2ac(P ) {Definition of p2ac] 

= 3x • (3 z • P[s,z/ina_ 0 k, outa_ 0 k'] A undash(z) G ac') 

{Assumption: x ^ (ma_„ k U outa- 0 k') and predicate calculus} 

— (3z • (3x • P)[s,z/ina_ 0 k, outa_ 0 k'] A undash(z) G ac') {Definition of p2ac] 
= p2ac{3x • p2ac(P)) 


□ 


Lemma L.C.5.16 p2ac(P)[o/ok] = p2ac([o/ok}) 


Proof. 


p2ac(P)[o/ok] 

— (3z • P[s,z/ina- 0 k, outa.- 0 k>] A undash(z) G ac)[o/ok] 

— (3 z • P[o/ok\ [s, z/ina- 0 k, outa.- 0 k'} A undash(z) G ac) 
= p2ac([o/ofc]) 


{Definition of p2ac} 
{Substitution} 
{Definition of p2ac} 


□ 


Lemma L.C.5.17 

p2ac(P ; Q) — 3 z • (P[s/ina- 0 k\ Q[z/outa.- 0 k'}) A undash(z) G ac' 

Proof. 

p2ac(P ; Q) {Definition of sequential composition} 

= p2ac{3 vo • P[vo/v'] A Q[vo/v\) {Definition of p2ac] 

= 3 z • (3 vo • P[vo/v'] A Q[vq/ v])[s,z/ina-ok, outct- 0 k'] A undash(z) G ac' 

{Substitution} 

= 3 z • (3 vo • P[s/ina- 0 k][vo/v'] A Q[z/outat- 0 k'][vo/v]) A undash(z) G ac 

{Definition of sequential composition} 

= 3 z • (P[s/ina- 0 k] ; Q[z/outa.- 0 k>]) A undash(z) G ac' 


□ 
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Lemma L.C.5.18 Provided ac' is not free in P, 


p2ac(P ; Q ) = P[s/ma_ ofc ] ; (3 z • Q[z/outa_ 0 k'] A undash(z) G ac') 


Proof. 


p2ac(P ; Q) {Lemma IL .C.5.1 71 } 

= 3 z • (P[s/ina_ 0 k\ ; Q[z/outa_ 0 k'}) A undash(z) G ac' 

{Definition of sequential composition} 

( P[s/ina- ok \[ok 0 ,v 0 /ok',v r } \ 


= 3z, v 0 , ok 0 


A 


\ Q[z/outo>- 0 k’\ [oko, vo/ok', v'} A undash(z) G ac' ) 

{Predicate calculus} 

( P[ s/ inat-ok] [ok 0 , Vo/ok', v'] \ 


= 3 v 0 , oko 


A 


\ (3 z • Q[z/outa- 0 k')[oko, vo/ok', if] A undash(z) G ac') ) 

{Property of substitution} 

( P[ s/ma_ 0 J [ok 0 , Vo/ok', v'} \ 


= 3 v 0 , ok 0 


A 


\ (3 z • Q[z/outa- 0 k'\ A undash(z) G ac')[o/coj vo/ok', v'] ) 

{Definition of sequential composition} 

= .P[s/ma!_ 0 fc] ; (3 z • Q[z/outa_ 0 k'\ A undash(z) G ac') 


□ 


C.5.3 ac2p 

Properties 

Theorem T.C.5.1 ac2p[P V Q) — ac2p{P) V ac2p(Q) 


Proof. 


ac2p(P V Q) 

= PBMH(P V Q)[Statejp (ina- 0 k 


{Definition of ac2p} 
)/s] ; A /\x: outot- 0 k’ • dash(s).x = x 
{Distributivity of PBMH (Theorem T.E.2.2)} 
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/ PBMH(P) \ 

V 

V PBMH(Q) / 


[State jj (ma_ ok)/s] ] A A 


X OUtOl— 0 ki 


dash(s).x = x 


{Property of substitution} 

/ (PBMH(P)[State II (ina- ok )/s]VPBMH(Q)[State II (ina- ok )/s\) \ 

’A 

\ /\x : outa_ 0 k' • dash(s).x = x ) 

{Distributivity of ] A (Lemma 

/ (PBMH(P)[5 , fatejj(mo!_ 0 fc)/5] ] A f\x \ outa_ 0 k' • dash(s).x — x) \ 

V 

\ (PBMH(Q)[S'tatejj(ma_ 0 fc)/s] ] A f\x : outa- 0 k' • dash(s).x — x) ) 

{Definition of ac2p} 


L.F.1.4)} 


= ac2p(P) V ac2p(Q) 


□ 


Theorem T.C.5.2 Provided P and Q are PBMH -healthy, 
ac2p(P A Q) — ac2p(P) A ac2p(Q ) 


Proof. 


ac2p(P A Q) {Definition of ac2p} 

= PBMH(P A Q)[Stateji(ina-ok)/s\ ] A f\x : outa- 0 k' • dash(s).x = x 


{Assumption: P and Q are PBMH-healthy and Lemma L.E.3.1} 

/ PBMH(P) \ 

A [State jj (ina- 0 k) / s] ] A A x : outa- 0 k> • dash(s).x = x 

{Property of substitution} 

A j A A x '■ outa- 0 k' • dash(s).x = x 

\ P'BM.H(Q)[Statejj(ina- 0 k)/s] J 


\ PBMH(Q) 

/ PBMH (P)[Statejj(ina_ ok )/s\ \ 


{Distributivity of j A (Lemma L.F.1.5)} 
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f (PBMH(P)[S'iaiejj(ma_ 0 / s )/s] \ A /\x : outa_ 0 k' • dash(s).x = x) \ 

= A 

\ (P'BM.H(Q)[Statexx (ina- 0 k) /s] f\x : outa.- 0 w • dash(s).x — x) ) 

{Definition of ac2p} 

= ac2p(P) A ac2p(Q) 

□ 


Lemmas 


Lemma L.4.6.2 ( ac2p- alternative-1) 


/ P[Statejj(ina)/s] 


ac2p(P ) = 3 ac' 


\ 


A 


\ V z • z G ac' =>■ (/\ x : outa • dash(z).x = x) ) 


Proof. 


ac2p(P) {Lemma lL.C.5.201} 

= 3 ac' • P[Statejp (ina_ 0 k)/s\ A ac' C {s | A x : outa_ 0 k' • dash(s).x = x} 

{Property of sets} 

/ P[Stateji (ina- 0 k)/s\ \ 


= 3 ac' 


A 


\ V z • z G ac' (f\ x : outo>- 0 k' • dash(s).x = x)[z/s] ) 


{Substitution} 


/ P[S'tatejj(ma_ 0 fc)/s] 


= 3 ac' 


\ 


A 


\ V z • 2 e ac' =>■ (/\ x : outa_ 0 k' • dash(z).x — x) J 


□ 


Lemma L.C.5.19 (ac2p-alternative-2) 


/ 3 ac', s*FA(Vz«z6 ac' =$■ f\x \ outa_ 0 k' • dash(z).x — x) \ 


ac2p(P) = 


A 


\ (/\ x : ina.- 0 k • s.x = x) 
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Proof. 


3 ac', s • P A (V z • z e ad =>■ /\x : outa • dash(z).x — x) \ 


A 


/ 


(/\ x : ma • s.x = x) 

{Lemma IL.D.1.91} 

= 3 ac' • P[State jj( ina)/s] A (V z • z G ac' a; : outa • dash{z).x = x) 

{Property of sets} 

= 3 ac' • P[State jj( met)/ 5 ] A (V 2 • z 6 ac' => z E {s \ l\x \ outa • dash(s).x = x}) 

{Property of subset inclusion} 

= 3 ac' • P[5'fafejj(mci')/s] A ac' C {s | a; : onto • dash(s).x = x} 

{Introduce fresh variable} 

= 3 aco • P[5'tatejj(ma)/s][aco/ac / ] A aco — { s I /\ ^ : °uta • dash(s).x = x} 

{Substitution} 

= 3 aco • P[aco/ac'][Statejj(ina)/s] A aco C {s \ f\x : outa • dash(s).x = x} 

{Introduce ac' and definition of ] A } 

= (3 aco • P[aco/ac'][Stotejj(ma)/s] A aco C ac') ] A /\x : outa • dash(s).x = x 

{Substitution} 

= (3 ac 0 • P[ac 0 /ac'] A ac 0 C ac')[5totejj(ma)/s] ] A /\x : outa • dash(s).x = x 

{Definition of PBMH (Lemma |L. 4.2. 3} 

= PBMH(P)[S'tatejj(ma)/s] ] A f\x : outa • dash(s).x = x 


□ 


Lemma L.C.5.20 (ac2p-alternative-3) 

ac2p(P ) 

3 ac' • P[Stateji(ina- 0 k)/s] A ac' C {s | : outa- 0 k> • dash(s).x = x} 


Proof. 


ac2p(P ) 

= PBMH{P)[Statexi (ina- 0 k)/s] ; A f\ 


{Definition of ac2p} 
x : outa- 0 k' • dash(s).x = x 


{Definition of PBMH (Lemma L.4.2.1)} 
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(3 ac 0 • P[ac 0 /ac'] A ac 0 C ac') [State jj (ina_ 0 t)/s] 
\ f\x : outa- 0 k' • dash(s).x = x 


P[aco/ac'][Statejj (ina- 0 k)/s] \ 


{Definition of ] A and substitution} 


3 aco 
A 

ac 0 C {s | f\x : outa_ 0 k' • dash(s).x — x} ) 

/ 3 ac 0 • P[Statejj;(ina_ o k)/s][ac 0 /ac'} \ 
A 

\ aco C {s | f\x : outa- Q k' • dash(s).x = x} ) 
3 ac' • P[State ji (ina_ok)/s\ A ac' ^ r ' 


{Substitution} 


{Predicate calculus} 
C {s | y\x : outa_ 0 k' • dash{s).x = x} 


S'; 


Lemma L.C.5.21 Provided ac’ is not free in e, 

ac2p(3 y • y 6 ac' A e) = e[5'fafejj(ma_ 0 fc), undash(Statejj(outa_ 0 k'))/s, y] 


Proof. 

ac2p(3 y • y E ac' A e) {Definition of ac2p} 

= PBMH(3j/ • y G ac' A e)[5'fatejj(ma_ 0 fc)/s] ] A /\x : outa.- 0 k' • dash{s).x = x 

{Assumption: ac' not free in e and Lemma [L.E.4.10 } 
= (3 2 / • ?/ e ac' A e)[<S'fafejj(mo!_ 0 ^)/s] \ A f\x \ outoi_ 0 k' • dash{s).x = x 

{Substitution} 

= (3 1 / • i/ 6 ac' A e[S'fatejj(ma_ 0 yt)/s]) ] A /\x \ outa._ 0 k' • dash{s).x = x 

{Definition of and substitution, ac' not free in e} 

= 3 ?/ • y £ |s | : outa_ 0 k' • dash{s).x = x| A e[Statejj(ina^ 0 k)/s] 

{Property of sets} 

= 3 y • (^/\x : outa_ 0 k’ • dash{y).x = x j A e[Statejj(ina_ 0 k)/s] 

{Introduce fresh variable} 

= 3 z,y • (^f\x : outa-ok’ • z.x = x j A z = dash(y) A e[5'fatejj(ma:_ 0( t)/s] 

{Property of dash} 

= 3 z, y • (^f\x : outa- 0 k' • z.x = x^j A undash(z) = y A e[Statejj (ma_ 0 fc)/s] 

{Lemma IL .D. 1. 9l and substitution} 












410 


APPENDIX C. ANGELIC DESIGNS (A) 


= 3 y • undash(Statejj(outa- 0 k')) — y A e[Statejj (ma_ 0 ).)/ s\ {One-point rule} 
= e[Stateu (ina_ 0 k )/ s] [undash^Stateu (outa>_ ok '))/?/] {Substitution} 

= e[Statejj (ina_ 0 k), undash(Stateji(outa_ 0 k')) / s, ?/] 


□ 


Lemma L.C.5.22 Provided P is A2 -healthy, 


f 3 aco • P[{s | {s} = aco}/ac'][S'tatejj(ma_ 0 jt)/s] \ 


ac2p(P) = 


A 


\ ac 0 C {s | /\ x : outa_ 0 k> • dash(s).x = x} ) 


Proof. 


ac2p(P) {Definition of ac2p} 

= PBMH(P)[5fafejj(ma_ 0 fc)/s] ] A /\ x : outa- ok > • dash{s).x = x 

{Assumption: P is A2-healthy} 
( PBMH(PBMH(P {s} = ac'))[State n (ina_ ok )/s] \ 


’A 


7 


\ f\x : outa- 0 k' • dash{s).x = a: 

{PBMH-idempotent} 

/ PBMH(P {s} = ac / )[S'tafejj(mo:_ 0 fc)/s] ^ 

5.4 

\ f\x : outa_ 0 k’ • dash(s).x = x 

{Definition of j A and substitution} 
/ PBMH(P[{s | {s} = ac'}/ac']) [State jj (ina_ 0 k)/s\ \ 


7 


5.4 


\ f\x : outa.- 0 k ' • dash(s).x = x 


7 


{Definition of PBMH (Lemma L.4.2.1)} 
/ (3 aco • (P[{s j {s} = ac , }/ac , ])[oco/ac / ] A aco C ac')[Statejj (ina- 0 k)/s] \ 


5.4 


7 


\ f\x : outa- 0 k' • dash{s).x = x 

{Substitution} 

/ (3 ac 0 • P[{s | {s} = ac 0 }/ac / ][S'fafejj(ma_ o fc)/s] A ac 0 C ac ') \ 


’A 


\ f\x : outa-ck' • dash(s).x = x 


7 

{Definition of and substitution} 
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/ 3 ac 0 • P[{s | {s} = ac 0 }/ac'}[Statejj; (ina^ok)/s] \ 

A 

\ aco C {s | f\x : outa.- 0 k' • dash(s).x = x} ) 

□ 


Lemma L.C.5.23 

3 outa • -i ac2p(P)[s / ina] -< P[0/oc'] 


Proof. 


3 outa • -i ac2p(i : ’)[s/ma] 

/ PBMH(P) [S'taiejj (ina) /s] \ 


{Definition of ac2p} 


= 3 outa 


iA 


[s/ina] 


= 3 cmta 


\ /\x : outa • dash(s).x = x ) 

{Definition of PBMH (Lemma L.4.2.1)} 

( (3 aco • P[aco/ac'} A aco C ac')[Statepj (ina) / s] \ 

iA 


= 3 outa 


\ f\x : outa • dash(s).x = x ) 

( (3 ac 0 • P[ac 0 /ac'][Statepj (ina)/s] A ac 0 C ac') \ 

/ 




[s/ma] 

{Substitution} 
[s/ ina] 


\ f\ x : outa • dash(s).x = x 

{Definition of and substitution} 
/ 3 aco • P[aco/ac'][Statejj (ina)/s] \ 


= 3 outa 


A 


[s /ina] 


\ aco C {s | f\ x : outa • dash(s).x — x} ) 


{Substitution} 


= 3 outa • 


= 3 outa • 


( 3 ac 0 • P[ac 0 /ac'][Statejj;(ina)/s][s/ina] \ 

A 

\ aco C {s | f\x : outa • dash(s).x = x} ) 

{Lemma IL.D.l.llT } 

(3 aco • D[aco/ ac] A aco — { s I /\ x : outa • dash(s).x = x}) 

{Predicate calculus} 
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3 onto • (V ac 0 • -> P[ac 0 /ac'} V -> (ac 0 C {s | x : outa • dash(s).x = a;})) 

{Predicate calculus} 

> V ac 0 • (3 outa • -> P[ac 0 /ac'] V -> (ac 0 C {s | f\x : outa • dash(s).x = a;})) 

{Predicate calculus: outa not free in P} 
V ac 0 • (-■ P[ac 0 /ac'] V 3 outa • -> (ac 0 C {s | : outa • dash(s).x = a;})) 

{Definition of subset inclusion} 

\ 


/ -iP[aco/ac'] 


— V CLCq 


V 


\ 3 outa • -i (V y • y e aco =>• (/\ a; : outa • dash(y).x = x)) ) 

{Predicate calculus} 

/ -i P[ac 0 /ac'] \ 


— V CSCg 


V 


\ 3 outa • (3 y • y E aco A —■ (/\ x : outa • dash(y).x = x)) ) 

{Predicate calculus} 

V aco • (-> P[aco/ ac'] V (3 outa • 3 y • y e aco)) {Predicate calculus} 

= -i 3 aco • P[aco/ac'] A aco = 0 {One-point rule} 

= - P[0/ ac] 


□ 

The following lemma can be restated in a few different ways. Namely it can also 
imply: 

3 outa • (-i P[Statejx (ina)/s] \ A f\x : onto • dash(s).x = x) 

Lemma L.C.5.24 Provided P is PDAIH-healthy, 

3 outa • -i ac2p(P) => 3 outa • ac2p(-> P ) 


Proof. 

3 outa • -> ac2p(P) {Definition of ac2p} 

= 3 onto • -i (PBMH(P)[5tofcjj(ma:)/s] /\a; : onto • dash(s).x = x) 

{Assumption: P is PBMH-healthy} 
= 3 onto • -i (P[Statejj (ina)/s] f\x : outa • dash(s).x = x) 


{Property of ;^} 
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3 outa • ((-i P[Staten (ina)/s]) ] A /\ x : outa • dash(s).x = x) 


{Predicate calculus (Lemma L.E.2.1)} 
f (-> P A PBMH(n P))[State n (ina)/s\ \ 


= 3 outa 


’A 


/ 


\f\x : outa • dash(s).x = x 

{Property of substitution} 

/ (-i P[Statea(ina)/s\ A PBMH(-i P)[5'tatejj(ma)/s]) \ 


= 3 outa 


iA 


\ [\ x : onto • dash(s).x = x 


/ 


{Distributivity of (Lemma L.F.1.5) and substitution} 
/ (-i P[Statea ( ina) /s] ; » f\x : oiito • dash(s).x = x) \ 


= 3 outa 


A 


\ (PBMH(-i P)[5'tatejj(ma)/s] ] A f\x \ outa • dash(s).x — x) J 

{Predicate calculus} 

3 onto • PBMH(n P)[Statea (ina)/s] ] A /\ x : outa • dash(s).x = x 

{Definition of ac2p} 

= 3 outa • ac2p(-i P) 


D 


Lemma L.C.5.25 Provided none of the variables in outa are free in P, 
3 outa • ac2p(P) =>■ 3 ac' • P[5'tatejj(mo;)/s] 


Proof. 

3 outa • ac2p(P) {Definition of ac2p} 


= 3 outa • 


= 3 outa • 


( PBMR(P)[Staten(ina)/s\ \ 


iA 


\ f\ x : outa • dash(s).x = x J 

{Definition of PBMH (Lemma L.4.2.1)} 

/ (3 ac 0 • P[ac 0 /ac'] A ac 0 C ac')[Staten(ina)/s] \ 


iA 


\ f\x : outa • dash(s).x = 


7 


{Substitution} 
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= 3 outa 


(3 ac 0 • P[aco/ac'][Statejj(ina)/ s] A ac 0 C ac') 


= 3 onto 


= 3 outa 


\ f\x : outa • dash(s).x = x ) 

{Definition of ] A and substitution} 

( 3ac 0 • P[ac 0 /ac'][State n (ina)/s} A \ ^ 

uta • {Property of sets) 

V ac 0 C {s | f\ x : outa • dash(s).x — x} I 

( 3 aco • P[aco/ac , ][Statejj(ina)/s] A \ 

\/z • z G ac 0 => (/\ x : outa • dash{z).x — x) I 

{Predicate calculus: onto not free in P} 

3 aco • P[aco/ac'] [5'tatejj (met)/s] \ 


= A 


3 outa • V z • z G aco => (/\ x : onto • dash(z).x = x) 


3 ac 0 • P[ac 0 /ac / ][5'totejj(ma)/s 


V z • 3 outa • (z G aco => (/\ x : outa • dash(z).x = x)) 


{Predicate calculus} 


{Predicate calculus} 


3 aco • P[aco/ac / ][5'totejj(ma)/s 


= A 


V z • z G ac 0 =>■ (3 onto • (/\ x : onto • dash(z).x = x)) 


3 ac 0 • P[aco/ac'][5'tatejj(mo:)/s 


= A 


Y V z • z G aco =>■ frne 
= 3 aco • P[aco/ac , ][5'totejj(mo:)/s] 
= 3 ac' • P[Statejj(ina)/s] 


{One-point rule} 


{Predicate calculus} 


{Predicate calculus} 


Lemma L.C.5.26 Provided that s and ac' are not free in P, 


ac2p(P A Q) = P A ac2p(Q) 


Proof. 


ac2p(P A <5) 


{Definition of ac2p} 
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= 3 ac' • (P A Q)[State jj (ina)/ s] A ac' C {z | x : outa • dash(z).x = x} 

{Subtitution: s not free in P} 

= 3 ac' • P A Q[Statejj (ina) / s] A ac' C {z | x : onto • dash(z).x = x} 

{Predicate calculus: ac' not free in P} 
= P A 3 ac' • Q[Statejj (ina) / s] A ac' C {z | f \ x : outa • dash(z).x = x} 

{Definition of ac2p} 


= P A ac2p(Q) 


□ 


Lemma L.C.5.27 Provided that s and ac' are not free in P, 
ac2p(P) = P 


Proof. 


ac2p(P) {Definition of ac2p} 

= 3 ac' • P[Statejj(ina)/s\ A ac 1 C {z \ /\x : outa • dash(z).x = x} 

{Subtitution: s not free in P} 

= 3 ac' • P A ac' C {z | x : outa • dash(z).x = x} 

{Predicate calculus: ac' not free in P} 
= P A 3 ac' • ac' C {z | /\ x : outa • dash(z).x = x} 

{Property of subset inclusion} 


= P 


□ 

Lemma L.C.5.28 Provided P is a design, 
ac2p(P) = (-■ ac2p(pf) b ac2p(P')) 


Proof. 

ac2p(P) {Assumption: P is a design} 

= ac2p(-< pf h P 4 ) {Definition of design} 

= ac2p((ok A -i pf) =>■ (P 4 A o/j')) 


{Predicate calculus and distributivity of ac2p (Theorem T.C.5.1)} 
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= ac2p(-> ok) V ac2p(P f ) V ac2p(P' A ok') {Lemmas IL .C.5. 26l and IL .C.5. 271} 

= ok\/ ac2p(P f ) V ( ac2p(P l ) A ok') {Predicate calculus} 

— (ok A -■ ac2p(P f )) => ( ac2p(P t ) A ok') {Definition of design} 

= (-■ ac2p(P f ) b ac2p(P t )) 


Lemma L.C.5.29 ac2p(P) 3 ac! • P[Statejj(ina) / s] 


□ 


Proof. 


ac2p(P) {Definition of ac2p} 

= 3 ad • P[State jj (ina) /s] A ac' C {z \ x : outa • dash(z).x = x} 

{Predicate calculus} 

(3 ac' • P[Statejj (ina)/s\) A (3 ac' • ac 1 C {z \ f\x : outa • dash(z).x = x}) 

{Property of sets} 


= 3 ac' • P[State jj (ina )/s] 


□ 


Lemma L.C.5.30 Provided ac' is not free in P, 
ac2p(P) = P[Staten(ina) / s] 


Proof. 


ac2p(P) {Definition of ac2p} 

= PBMH (P)[Stateu(ina)/s\ ] A j\x : outa • dash(s).x = x 

{Assumption: ad not free in P and property of PBMH} 
= P[Statejj(ina)/s] ] A x : outa • dash(s).x = x 

{Definition of ] A and substitution} 
= P[Staten(ina)/s][{s f\x : outa • dash(s).x = x}/ad] 

{Assumption: ad not free in P} 


= P[Stateu(ina) / s\ 


a 
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Lemma L.C.5.31 ac2p(P)° w = ac2p(Pf) 


Proof. 


ac2p(P)° w {Substitution abbreviation} 

= ac2p(P)[o , w/ok', wait] {Definition of ac2p (Lemma |L.C.5.20 )} 

= (3 ac' • P[Statejj (ina)/s] A ad C {s | x' : outa • s.x = x'})[o, w/ok', wait] 

{Substitution: ok' and wait not in outa} 
= 3 ac' • P[State jj (ina)/s][o, w/ok', wait] A ac' C {s | f\x' : outa • s.x = x'} 

{Substitution: ok' not in ina} 

= 3 ac' • P[o/ok'][State jj (ina)/s][w/wait] A ac' C {s | A x' : outa • s.x = x'} 

{Lemma IL.D.1.121 } 

= 3 ac' • P[o/ok'][s © {wait i —> w} /s] [State jj (ina) / s] A ac' C {s | f\ x' : outa • s.x 

{Substitution abbreviation} 

= 3 ac' • P° [State jj (ina) / s] A ac’ C {s | f \ x' : outa • s.x = x'} 


{Definition of ac2p (Lemma L.C.5.20)} 


= ac2p(P° w ) 


□ 


Lemma L.C.5.32 Provided ac' is not free in c, 

ac2p(P <\ c> Q) = ac2p(P) < c[Statejj(ina- 0 k)/s] > ac2p(Q) 


Proof. 


ac2p(P <3 c> Q) {Definition of conditional} 

= ac2p((c A P) V (-■ c A Q)) {Distributivity of ac2p (Theorem T.C.5.2)} 

= ac2p(c A P) V ac2p(~i c A Q) 


{Assumption: ac' not free in c and Lemma [L.C.5.33 } 

= (c[Statejj (ina_ 0 k)/ s] A ac2p(P)) V (-> c[Statejj (ina_ ok)/s] A ac2p(Q)) 

{Property of substitution} 

= (c[Statejj(ina_ 0 k)/s] A ac2p(P)) V (-> (c[Statejj(ina_ 0 k)/s[) A ac2p(Q)) 

{Definition of conditional} 

= ac2p(P) <| c[Statejj(ina^gk)/s] > ac2p(Q) 












418 


APPENDIX C. ANGELIC DESIGNS (A) 


□ 


Lemma L.C.5.33 Provided ac! is not free in P, 

ac2p(P A Q) = P[Stateok)/s\ A ac2p(Q) 


Proof. 


ac2p(P A Q) {Definition of ac2p} 

= PBMH(F A Q)[State jj(ina_ ok)/s\ ] A /\ x : outa_ 0 k> • dash(s).x = x 

(Assumption: ac' not free in P and Lemma L.E.4.8 [ 
— (PA PBMH(<5))[<S'totejj(ma:_ 0 fe)/s] ] A x : outa_ 0 k' • dash(s).x = x 

{Property of substitution} 


( (P{Statejx(ina- 0 k)/s\ AP~BNUi(Q){Statejj(ina- 0 k)/s\) ^ 

’A 

\ /\x : outa-ok' • dash(s).x = x ) 

{Distributivity of ] A (Lemma 

_ 0 fc)/s] ] A f\x : outa_ 0 k' • dash(s).x = x) 

\ (PBMH (Q)[State n ( 


L.F.1.5D} 


\ 


/ (P[Stateu (inot 
A 

-ok)/s\ ] A f\x : outa- 0 k' • dash(s).x = x) ) 
{Assumption: ac' not free in P and Lemma 


( ina.- 


( P[Statejj (ina- 0 k)/s 


P and Lemma L.F.1.1} 


A 

\ (PHM.H(Q) [Statea(ina_ok)/s\ \ A f\ x : outQ>_ 0 k' • dash(s).x = x) ) 

/Definition < 


= P[Statejj (ina_ ok )/s] A ac2p(Q) 


{Definition of ac2p} 


□ 


Lemma L.C.5.34 Provided inot- 0 k = {%o, • • •, A,) and ina'_ ok = outot- 0 k', 
ac2p(s G ac') = x 0 = x' 0 A ... A x t = x[ 


Proof. 


ac2p(s G ac') 


{Definition of ac2p} 
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= PBMH(s G ac') [Staten (ina_ 0 k)/s] ] A x : outa_ 0 k’ • dash(s).x = x 

{Lemma IL.E.4.31} 

= (s G ac')[State]j(ina_ 0 k)/s] ] A /\ x : outa_M • dash(s).x = x {Substitution} 

= Stateu(ina-ok) G ac' ] A /\x : outa- 0 k' • dash(s).x = x 

{Definition of ] A and sustitution} 
= State u (inct- 0 k) G {s | f\x : outa- 0 k■< • dash(s).x = x} {Property of sets} 

= x : outa^ok' • dash(Statexx(ina.-ok))-x = x {Definition of State jj} 

= x : outa_ok 1 • dash({x 0 x 0 ,..., Xi h-)• Xj}).x = x {Application of dash} 
= x : outot- 0 k' • {xq i—>■ Xo,..., x( H)■ Xj}.x = x {Expansion of conjunction} 

= {Xq e-)- X 0 , . . . , X 4 - l-G Xj}.Xg = Xq A . . . A {Xq (->• Xo, . . . , x[ (->• X*}.x( = x( 

{Value of record component} 


= Xq = Xg A ... A Xi = x[ 


a 


Lemma L.C.5.35 Provided P is PBMH -healthy, 
ac2p(P A ac' 7 ^ 0) = ac2p(P) 


Proof. 


ac2p(P A ac' 7 ^ 0) {Definition of ac2p} 

= PBMH(P A ac' 7 ^ 0 )[Staten (ina )/ s] ] A /\x' \ outa • s.x = x' 

{Assumption: P is PBMH-healthy} 

= PBMH(PBMH(P) A ac' 7 ^ ®)[Statexi(ina)/s] ] A f\x' : outa • s.x = x' 

{ac' 7 ^ 0 is PBMH-healthy} 


/ PBMH(P) \ 


= PBMH 


A 


[Statexx(ina)/s] : A x : outa • s.x = x' 


\ PBMH(ac' ^ 0) 


{Closure of conjunction under PBMH (Theorem T.E.3.1)} 
/ PBMH(P) \ 


A 


[Statexi (ina)/s] ] A f\x' outa • s.x = x' 


\ PBMHfdc' ^ 0) / 


{ac' 7 ^ 0 is PBMH-healthy} 
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= (PBMH(P) A ac' 7 ^ 0) [State jj (ina)/s) ] A f\x' : outa • s.x = x' 

{Property of substitution} 


= (PBMH(P)[5'fafejj(ma)/s] A ac' 

( (PBMH (P)[State II (ina)/s\ 

= A 


.x = x 


7^0) iA A x' : outa • s. 
{Right-distributivity of ] A (Lemma 
f\ x' : outa • s.x = x') \ 


L.F.1.5)} 


\ ( ac' t - $ ] A /\x' \ outa • s.x = x') 




{Definition of ac2p} 

= ac2p(P) A ( ac 7^ 0 \ A f\x’ : outa • s.x = x') {Property of sets} 

= ac2p(P) A ((3 ac') \ A f\x' '. outa • s.x = x') 

{Definition of and substitution} 
= ac2p(P) A (3 z • z G {s | x' : outa • s.x = x'}) {Property of sets} 

= ac2p(P) A (3 2 • /\x' : cmto • z.x = x') {One-point rule} 

= ac2p(P) 


Lemma L.C.5.36 ac2p o PBMH(P) = ac2p(P) 


P 


Proof. 

ac2p o PBMH(P) {Definition of ac2p} 

= PBMH(PBMH (P))[State n (ina)/s] ; A A x' : outa • s.x = x' 

{Theorem IT. E.2. 11} 

= PBMH(P)[5'fafejj(ma)/s] ', A /\x' : outa • s.x = x' {Definition of ac2p) 
= ac2p(P) 


a 


Lemma L.C.5.37 Provided that x is not s nor ac', ac2p(3 x • P) = 3 x • ac2p(P) 


Proof. 


ac2p{3 x • P) {Definition of ac2p} 

= PBMH(3x • P)[Stateu{ina- 0 k)/s\ ] A f\x : outa- 0 k> • dash(s). 


.x = x 


{Assumption: x is not ac 1 and Lemma L.E.5.3]- 
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— (3x • P~BM.H(P))[State]j (ina_ 0 k) / s] ] A : outa_ 0 k> • dash(s).x = x 

{Assumption: x is not s and substitution} 
= (3a; • PBMH(P)[5'tatejj(ma_ 0 / ; )/s]) ] A /\x \ outa_ 0 k> • dash(s).x = x 

{Definition of ] A } 

— (3x • PBMH(P)[5'taiej2(ma_ 0 /fc)/s])[{s | f\x : outa_ 0 k' • dash(s).x = x}/ac'] 

{Assumption: x is not ac' and substitution} 
= 3 x • PBMH(P)[5'tatej2(mQ:_ 0 fc)/s][{s | f\x : outa- 0 k' • dash(s).x = x}/ac] 

{Definition of ] A } 

— 3x • PBMH(P)[5'tatejj(mQ:_ 0 / ; )/s] j A /\x : outa.- 0 k' • dash(s).x = a;} 

{Definition of ac2p} 


— 3 x • ac2p(P) 


□ 

Lemma L.C.5.38 ac2p(y G ac') — f\x : outa- 0 k’ • dash(y[Stateji(ina>- 0 k) / s]).x = 
Proof. 

ac2p(y G ac') {Definition of ac2p} 

= PBMH(t/ G ad)[State 0 k) /s] j A /\x : outa.- 0 k' • dash(s).x = x 

{Lemma IL.E.4.71} 

= (y G ac)[State]j (ina- 0 k) / s] ] A /\x : outa- 0 k> • dash(s).x = x 

{Substitution} 

= (y[Stateji(ina._ 0 k)/s] G ac') ] A /\x : outa_ 0 k' • dash(s).x = x 

{Definition of ] A and substitution} 

= y[Statejj (ina_ 0 k)/ s\ G {z \ x : outa^M • dash(z).x = x} 

{Property of sets} 

= f\x : outa._ 0 k’ • dash(y[Statejj (ina_ 0 k) /s ]).x = x 

□ 

Lemma L.C.5.39 Provided y is not s, ac2p(y G ac') — f\x : outa_ 0 k' • dash(y).x = 


Proof. 


ac2p(y G ac') 


{Lemma IL.C.5.381 } 
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— x : outa_ 0 ki • dash(y[Stateii(ina_ 0 k)/s\).x = x {Assumption: y is not s} 
= x : outa_ 0 ki • dash(y).x = x 

□ 


Lemma L.C.5.40 Provided P is PBMH -healthy and y is not s, 

3 y • ac2p(P A y G ac') = ac2p( K P)[undash(Stateii(outo>_ 0 k') / y} 


Proof. 


3y • ac2p(P A y G ac') 

{Assumption: P is PBMH-healthy and Theorem T.C.5.2 \ 
= 3y • ac2p(P) A ac2p(y G ac') {Lemma lL.C.5.391} 

= 3 t/ • ac2p(P) A x : outa._ 0 k' • dash{y).x = x 

{Predicate calculus, introduce fresh variable z} 
= 3 ?/, z • ac2p(P) A f\x : outa_ 0 k' • z.x = x A dash(y) = z {Property of das/i} 
= 3 y, z • ac2p(P) A £ : outa- 0 k> • z.x = x A y = undash(z) 

{Lemma IL.D.1.91} 

= 3 y • (ac2p(P) Ay = undash(z))[Statejj;(outa- 0 k')/z} {Substitution} 

= 3 y • ac2p(P) A y = undash{Statejj(outa- 0 k ')) {One-point rule} 

= ac2p(P) [undash(Statejj (outa_ok’) / y\ 


□ 


Lemma L.C.5.41 Provided P is PBMH -healthy, 

ae2p((^) v ac ,(P)) = ac2p(P[{y} D ac'/ac'})[undash(Statejj(outa- 0 k')/y} 


Proof. 


ac2 ^((DL'( p )) 

= ac2p(3 y • P[{y} D ac'/ac'} A y G ac') 
= 3 y • ac2p(P[{y} D ac'/ac'} A y G ac') 


{Definition of (g)^,} 
{Lemma IL.C.5.371 } 


{Assumption: P is PBMH-healthy and Lemmas L.C.5.40 and L.E.5.4} 


= ac2p(P[{y} fl ac'/ac'})[undash(Statejj(outa- 0 k')/y} 
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□ 


Lemma L.C.5.42 Provided P is PBMH -healthy, 

acM©lAP )) 

ac2p(P[undash(Statejx(outa- 0 k'))/y\ [{ undash{Stateji{outa _ 0 fc'))} n ac'/ac'}) 


Proof. 

ac2p((&) y ,(P)) {Assumption: P is PBMH-healthy and Lemma L.C.5.41} 

= ac2p(P[{y} D ac'/ac])[undash(Stateu (outa-ok’))/y] {Lemma IL .C.5. 441 } 

= ac2p(P[{y} D ac'/ac}[undash{Statexi(outa- 0 k'))/y}) {Substitution} 

= ac2p(P[undash(State]j (outa- 0 k'))/y] [{ undash(Statejj (outa- 0 fc'))} n ac'/ac'}) 


L.C.5.41 


□ 

Lemma L.C.5.43 Provided P and Q are PBMH -healthy, y is not free in P and 
ac' is not free in Q, 

ac2p{(ef ac ,(P A Q)) 


( ac2p(P\{undash(Stateji(outoi_ 0 k'))} fl ac' / ac'}) \ 

A 

\ Q[undash(Statejj(outa- 0 k'))/y}[Statejx(ina- 0 k)/s} ) 


Proof. 

ac 2 M(Dl'( p A Q)) 


{Assumption: P and Q are PBMH-healthy Theorem |T. E.3. l| and Lemma |L.C.5.42~ } 

= ac2p((P A Q)[undash(Statejj(outa_ 0 k'))/y}[{undash(Stateu(outa_ 0 k'))} D ac'/ac' 

{Assumption: y is not free in P} 

( ( P \ 


= ac2p 


\ 


A 


[{undash(State]j (outa- 0 k'))} fl ac'/ 


\ Q[undash(Statexx(outa- 0 k'))/y\ ) 


{Assumption: ad is not free in Q} 
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= ac2p 


/ P[{undash(Statej;j (outa^ok'))} C\ ac'/ac'] \ 
A 

\ Q[undash(Statejj(outa- 0 k'))/y\ / 


{Assumption: ac! is not free in 0 and Lemma L.C.5.33} 
/ ac2p(P[{undash(Statejj (outa-ok'))} L\ ac'/ac']) \ 


A 


\ Q[undash(Stateji(outa- 0 hi))/y][Statejj(ina- 0 k)/s] ) 


□ 

Lemma L.C.5.44 Provided that ad is not free in P, and s and ac' are not free 
in e, and that y is not ac' nor s, 

ac2p(P)[e/y] = ac2p(P[e/y ]) 


Proof. 


ac2p(P)[e/y\ {Definition of ac2p} 

= (PBMH(P)[5'fafejj(ma:_ 0 fe)/s] \ A x : outa- 0 k' • dash(s).x = x)[e/y] 

{Definition of 

= (PBMH(P)[5fa£ejj(ma_ 0 fc)/s][{s | x : outa._M • dash{s).x = x}/ac'])[e/y\ 

{Assumption: y is not ac’ and ac' is not free in e} 
= PHM.H(P)[Stateji(ina_ 0 k)/s][e/y][{s \ x : outa_ 0 k' • dash{s).x = x}/ac'] 

{Definition of 

= PBMH(P)[5'fafejj (ina- 0 k) / s][e/y] ] A /\ x : outa_ 0 k' • dash{s).x = x 

{Assumption: y is not s and s is not free in e} 
= VBMH{P)[e/y\[Statejx{ina.- 0 k)/s] j A x : outa- Q k’ • dash(s).x = x 


{Definition of PBMH (Lemma L.4.2.1 )} 
/ (3 aco • P[aco/ac '] A aco C ac')[e/y][Statejj(ina- 0 k)/s] \ 


5.4 


/ 


\f\x : outa_ok' • dash{s).x = x 

{Assumption: y is not ac' and ac' is not free in e} 

/ (3 ac 0 • P[e/y][ac 0 /ac'] A ac 0 C ac')[Stateu (ina_ 0 k) /s] \ 


iA 


\ f\x : outa-ck' • dash(s).x = a: 


7 


{Definition of PBMH (Lemma L.4.2.1)} 
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= P'BM.H(P[e/y])[Statejj(ina^ok)/s] A x : outa_ 0 k' 

= ac2p(P[e/y}) 


dash(s).x = x 

{Definition of ac2p} 


□ 


Lemma L.C.5.45 Provided ad is not free in P, 

ac2p(P[s/ina- 0 k] A undash(Stateji(outa- ok ')) G ac') = P 


Proof. 

ac2p(P[s/ina- 0 k] A undash(Stateu(outa- 0 k')) G ac') {Lemma IL. C.5. 331 } 

= P[s/ina- 0 k][Statejj (ina-ok/s\ A ac2p( K undash{Statejj(outa- 0 k')) G ac)) 

{Lemma IL.D.l.lOl } 

— P A ac2p(undash(Stateij(outa>- 0 k')) G ac')) {Lemma IL.C.5.461 } 

— P A true {Predicate calculus} 

= P 


□ 


Lemma L.C.5.46 ac2p{undash{Statejj{outa_ 0 k')) G ad) = true 


Proof. 


ac2p( K undash{Statejj( K outa- 0 k')) G ac') {Lemma IL. C.5. 391 } 

= f\x : outa^ok' • dash(undash(State]j(outa_ 0 k'))).x = x 

{Property of dash and undash} 

= f\x : outa_ 0 k' • State jj (outa^gk') .x = x 

{Definition of Sate jj and x ranges over outa- 0 y} 
= : outa- 0 k' • ({xq (->• Xq, ..., x' n (->• x' n }).x = x {x ranges over outa- 0 k'} 

( (K x i ■ ■ ■ , X n ^ = X 0 ^ 

= A ... A {Value of record components} 

\ ( / rfJ | V rt-'t i V 1 \ nr>^ I 

Vl x 0 ^ • • • ? X n ^ x nS )- x n ~ x n / 

= x'o = x’ 0 A... A x' n = x' n 


= true 


{Predicate calculus} 
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□ 


Properties with respect to Angelic Designs 
Theorem T.C.5.3 Provided that P is a design, 

ac2p o A (P) = (-• ac2p(P f ) b ac2p(P t )) 


Proof. 


ac2p o A(P) {Assumption: P is a design} 

= ac2p o A(-< pf b P l ) {Definition of A} 

= oc2p(-< PBMH(P / ) b PBMH(P*) A ad d 0) {Definition of design} 

= ac2p((ok A PBMH(P / )) =► (PBMH(P f ) Aoc'/0A ok')) 

{Predicate calculus} 


= ac2p(~n ok V PBMH(P / ) V (PBMH(P‘) A ad d 0 A ok')) 


{Distributivity of ac2p (Theorem T.C.5.1)} 


= ac2p(-i ok) V ac2p o PBMH(P^) V ac2p(PBMH(P 4 ) A ad d 0 A ok') 

{Lemma IL.C.5.271 } 

= -i ok \/ ac2p o PBMH(P^) V ac2p(PBMH(P i ) A ad d 0 A ok') 

{Lemma IL.C.5.261 } 


= -i ok V ac2p o PBMH(P^) V (ac2p(PBMH(P i ) A ad d 0) A ok') 

{Lemma IL.C.5.351 } 


= -i of v ac2p o PBMH(P^) V (ac2p o PBMH(b f ) A ofc') {Lemma IL.C.5.361 } 
= -i ok V ac2p(P f ) V (ac2p(P t ) A oA/) {Predicate calculus} 

= (ok A -■ ac2p(P f )) =>• ( ac2p(P t ) A oA/) {Definition of design} 

= (-■ ac2p(P f ) b ac2p(P t )) 


□ 

C.5.4 Isomorphism and Galois Connection (ddlac and ac2p) 

Theorem T.4.6.7 Provided that P is a design, ac2p o d2ac(P) = P. 

Proof. 

ac2p o d2ac(P) 

= ac2p o d2ac(-> P * b P l ) 


{Assumption: P is a design} 
{Definition of d2ac} 
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= ac2p(~i p2ac(P f ) A (-1 P f [ s/ ma] ; true) b p2ac(P t )) {Definition of design} 

= ac2p((ok A -■ p2ac(P f ) A (-< P^[s/ ma] ; true)) =>• (p2ac(P t ) A oP)) 

{Predicate calculus} 

= ac2p(-> ok V p2ac(P f ) V -i (-1 P^[s/ ma] ; true) V ( p2ac(P t ) A oP)) 

{Distributivity of ac2p (Theorem T.C.5.1)} 

/ ac2p(-> ok) V ac2p o p2ac(Pf) V ac2p(-> (-> Pf[s/ma] ; true)) \ 


V 


/ 


\ ac2p(p2ac(P t ) A oP) 

{Lemmas IL.C.5.261 and IL.C.5.271 } 

/ -1 of V ac2p o p2ac(P f ) V ac2p{~^ (-1 Ff[s/ma] ; true)) \ 

= V 

^ (ac2p o p2ac{P t ) A oP) / 

{Theorem IT. 5.3. 51} 

= (-i ok V pf V ac2p{-^ (-1 P^[s/ma] ; true)) V (P 4 A oP)) 

{ ac' not free in P* and Lemma |L. C. 5.301 } 

= (-1 ok V P* V -1 (-> P^s/ inct] ; true)) [Pt ate jj(ma)/s] V (P 4 A oP)) 

{Property of substitution} 

= (-1 ok V pf V -1 (-1 P / [s/ ma] [Ptatejj (ma)/s] ; true)) V (P 4 A oP)) 

{Lemma IL.D.l.lOl } 

= (-1 ok V P-^ V -1 (-1 P f ; true)) V (P 4 A oP)) 

{Predicate calculus and definition of design} 

= (-1 pf A (-1 P^ ; true) b P 4 ) {Definition of sequential composition} 

= (-1 P f A (3 outa • -1 P^) b P 4 ) {Predicate calculus} 

= (-1 p7 b P 4 ) {Assumption: P is a design} 

= P 


□ 


Theorem T.4.6.8 Provided P is an A-healthy design, d2ac o ac2p(P) □ P. 


Proof. 


d2acoac2p(P) { Lemma lL. C. 5. 471} 

= (-■ p2ac(ac2p(pf)) A (3 outa • -1 ac2p(P^)[s/ma]) b p2ac(ac2p(P t ))) 


{Assumption: P-' and P 4 are PBMH-healthy and Theorem T.5.3.6} 
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( -n ( p2ac(ac2p(P f )) A P f ) A (3 outa • -> ac2p(pf)[s/ina]) ^ 

b 

^ p2ac(ac2p(P t )) AF‘ / 

{Lemma L.C.5.29 and predicate calculus} 

/ / -i ( p2ac(ac2p(P f )) A P-f) \ \ 

A 

(3 outa • -■ (ac2p(Pf) A (3 oc 7 • P^[S'tatejj(ma)/s]))[s/ma]) / 


b 


\ p2ac(ac2p(P t )) A P* 


[Property of substitution} 


/ 


/ (p2ac(ac2p(Pf)) A P-f) 


\ 


A 


\ 


\ (3 outa • -i (ac2p(P-f)[s/ma;] A (3 ad • P f [State jj(ina)/s][s/ina}))) / 


b 


y p2ac(ac2p(P t )) A P* 


{Lemma IL.D.l.lll} 




/ / -i (p2ac(ac2p(P f )) A P-^) 

A 

(3 outa • -■ (ac2p(P-f)[s/ma] A (3 ac' • P-f))) J 


\ 


b 


\ p2ac(ac2p(P t )) A P* 


{Predicate calculus} 


/ 


/ (-i p2ac(ac2p(P f )) V -i P-f) 


\ 


A 


/ 3 outa • -i (ac2p(P-f)[s/ma]) \ 
V 

^ (3 outa • -i 3 ad • P-f) / 


/ 


b 


\ p2ac(ac2p(P t )) A P* 




{Predicate calculus: outa not free in P} 
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( (-1 p2ac(ac2p(Pf )) V -> P f ) 


A 


3 outa • -i ( ac2p(P-f)[s/ina ]) \ 
V 

\ \ (-i 3 ac' • pf) 




\- 


{Predicate calculus} 


/ 


\ p2ac(ac2p(P t )) A P 4 

( ( (-i p2ac(ac2p(P f )) A 3 outa • -> (ac2p(P f )[s/ina\)) \ \ 

V 

(-i p2ac(ac2p(P f )) A (-< 3 ac' • P f )) 

V 

(-i Pf A 3 outa • -i (ac2p(P-f)[s/ina\)) 

V 

y (“i pf A (“i 3 ac' • Pty) 


h 


y p2ac(ac2p(P t )) A P 4 

□ (-. P f A (-. 3 ac' • P f ) h P 4 ) 
= (-. P f h P 4 ) 

= P 


/ 




{Refinement of designs} 
(Predicate calculus} 
(Definition of design} 


□ 


Theorem T.4.6.9 Provided P is an A0-A2 -healthy design, d2ac o ac2p(P) C P. 


Proof. 


d2ac o ac2p(P) (Assumption: P is an A0-A2-healthy design} 

= d2ac o ac2p(-< A2 o PBMH(P / ) h A2(PBMH(P i ) A ac' ^ 0)) 

(Lemma IL.C.5.471 } 

/ / -i p2ac o ac2p(A2 o PBMH(P^)) \ \ 

A 


y 3 outa • -■ ac2p(A2 o PBMH(P^))[s/m«] / 


h 


/ 


\ p2ac o ac2p(A2(PBMH(P 4 ) A ac' 7 ^ 0)) 

(Lemma|L.C.5.23 and refinement of designs} 
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f 

V 

/ 

V 
/ 

V 
/ 

V 
/ 

V 
/ 

V 
/ 

V 


p2ac O ac2p(A2 o PBMH(P^)) A -i A2 o PBMH(P^)[0/ac'] \ 

h 

p2ac o ac2p(A2(PBMH(P t ) A ac' 7 ^ 0)) / 

{Lemma IL.C.1.191 } 

p2ac o ac2p(A2 o PBMH(P')) A PBMH(P^) [0/ac'] \ 

h 

p2ac o ac2p(A2(PBMH(P t ) A ac' 0)) / 

{Predicate calculus} 

(p2ac o ac2p(A2 o PBMH(P^)) V PBMH(f^)[0/ac']) \ 

h 

p2ac o ac2p(A2(PBMH(P t ) A ac' 0)) / 

{Lemma IL.C. 1.321 } 


( (PBMH (Pf)[tb/ac'} A ac' ± 0) 


\ 


V 


{By PBMH {Pf)[{y} / ac’} Aye ac') 


V 


\ PBMH(P / )[0/ac'] 


\ 


/ 


h 


/ 


p2ac o ac2p(A2(PBMH(P') A ac' 7 ^ 0)) 

{Predicate calculus: absorption law} 
( {By PBMH {Pf)[{y} / ac'} Aye ac') \ \ 


V 


\ PBMH(^)[0/ ac'] 




{Theorem IT. d.2. Ill } 


h 

p2ac o ac2p(A2(PBMH(P t ) A ac' 7 ^ 0)) 

A2 o PBMH(P^) \ 

h 

p2ac o ac2p(A2(PBMH(P t ) A ac' 0)) J 

A2 O PBMH(P^) 

h 

/ ((PBMH(P) A ac' ± 0)[0/ac'] A ac' ^ 0) \ 

V 

\ (3 y • (PBMH(P) A ac' ± ®)[{y}/ac'] A ye ac') 


{Lemma, IL.C. 1.321 } 


{Substitution} 
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/nA2o PBMH(P^) 


\ 


h 


( (PBMH(P 4 ) [0/ ac'} A 0 ^ 0 A ac' ± 0) 


\ 


V 


\ (3 y PBMH(P')[{ y}/ac'} A {y} ± 0 A y G ac') / 


/ 


/nA2o PBMH(^) 


\ 


h 


{Predicate calculus} 
{Property of sets} 


{Lemma IL.C. 1.171 } 


\ (3 y PBMH(P') [{y} / ac'] A {?/} ^ 0 A y e ac') / 

nA2o PBMH(P^) \ 

h 

(3 y PBMH(P') [{?/} / ac'] Aye ac') 

= (-. A2 o PBMH(P / ) h A2(PBMH(P') A ac' ± 0)) 

{Assumption: P is an A0-A2-healthy design} 

= P 


□ 


Theorem T.4.6.10 Provided P is a design that is AD-A2-healthy, 


d2ac o ac2p(P) = P 


Proof. Follows from Theorems T.4.6.8 and T.4.6.9 


□ 


Lemma L.C.5.47 


d2ac o ac2p(P) 


p2ac(ac2p(pf)) A (3 outa • -> ac2p(pf)[s/ina\) h p2ac(ac2p(P t ))) 


Proof. 

d2ac o ac2p{P) {Lemma IL.C. 5. 281 } 

= d2ac(~> ac2p(pf) h ac2p(P t )) {Definition of d2ac} 

= (-i p2ac(ac2p(P f )) A (-< ac2p(P f )[s/ ina) ; true) h p2ac(ac2p(P t ))) 

{Definition of sequential composition} 

= (-■ p2ac(ac2p(P f )) A (3 outa • -> ac2p{P f )[s/ina\) h p2ac(ac2p(P t ))) 
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□ 


C.6 Relationship with the PBMH Theory 
C.6.1 d2pbmh 

Theorem T.4.7.1 Provided P is PBMH- healthy, 

PBMH o d2pbmh(P) = d2pbmh(P) 


Proof. 


PBMH o d2pbmh(P) {Assumption: P is PBMH-healthy and Lemma L.C.6.1 f 
/ (-1 Pf =>■ P^ltrue/ok] [Statejj (ina.- 0 k)/s\ [acg/ac'] \ 


= 3 ac 0 


A 


/ 


\ aco C undashset(ac') 

{Introduce fresh variable aci} 

( (-i Pf =>■ P^ltrue/ok]{Statejj (ina- 0 k)/s]{ac 0 /ac'} ^ 

A 

aco C undashset(aci) A undashset(aci) C undashset(ac') ) 

{Property of undashset} 

/ (-i P f =>■ P l )[true/ ok\[Stateji{ina- 0 k) /s][aco/ ac'] \ 


— 3 UCg, CLC\ 


A 


/ 


\ ac 0 C undashset(aci) A aci C ac' 

{Substitution and predicate calculus} 

/ / (-i Pf =>- P i )[t™e/o/u’][5'tatejj(ma_ 0 /fc)/s] [acg/ac'] \ \ 


= 3 aci 


3 clcq 


A 


[aci/ ac'] 


/ 


\ aco C undashset(ac') 

A 

y aci C ac' 

{Definition of PBMH} 

/ (-i Pf =>• P')[trae/o/,;][S'tatejj(ma_ 0 fc)/s][ac 0 /ac'] ^ \ 

A 

\ aco C undashset(ac') 

{Assumption: P is PBMH-healthy and Lemma L.C.6.1 } 

= d2pbmh(P) 




( 


3 acg 


V 


/ 


/ 
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□ 


Lemma L.C.6.1 

d2pbmh o PBMH(P) 


/ (-1 Pf =>■ P^ltrue/ok][Statejp(ina-ok)/s][aco/ac'} \ 


3 aco 


A 


\ ac 0 C undashset(ac') 


Proof. 


d2pbmh o PBMH(P) {Definition of d2pbmh} 

= (-■ PBMH(P)^ =>• PPM.H(P) l )[true/ok][undashset(ac')/ac'][Statejj (ina_ ok )/s] 

{Lemma IL.E.5.11} 

= (-■ PBMH(P^) =>• P'BM.H(P t ))[true/ok\[undashset(ac')/ac'][Statejj (ina_ ok )/s] 

{Predicate calculus and Theorem IT. E.2. 21} 


= PBMH(-i pf P l )[true/oh]{undashset(ac')/ac'}[Stateii(ina_ 0 k)/s] 

{Definition of PBMH} 


( 3 ac 0 • (-i Pf =>- P 4 )[ac 0 / ac'] ^ 
A 


[true/ok] [undashset(ac') / ac'] [State jj (ma_ ofc )/s] 


\ ac 0 C ac' 




{Substitution} 


l (-i Pf =>• P 4 )[fnxe/ ok][Statejx(ina- 0 k)/s][aco/ac'] \ 


= 3 aco 


A 


\ ac 0 C undashset(ac') 


□ 


C.6.2 pbmh2d 

Theorem T.4.7.2 Provided P is PTHYLH-healthy, 

A o H3 o pbmh2d(P) = pbmh2d(P ) 


Proof. 


A o H3 o pbmh2d(P ) 


{Definition of pbmh2d} 
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= A o H3((-< P[$/ac'] b P[dashset(ac')/ac'])[s/ina_ 0 k\) {Substitution} 

= A o H3((-i P[0/ac / ][s/ma_ o fc] b P[dashset(ac')/ac'][s/ina_ Ok})) 

{Definition of A and H3} 

( 3 ad • -i P[(/}/ac'][s/ina- 0 k] ^ 

= b {ac' not free} 

\ PBMH(P[das/isef(ac / )/ac'][s/ A ac' 7 ^ 0 / 

^ -1 P[0/ac'][s/mo!_ ofc ] ^ 

= b 

^ PBMH(P[das/isef(ac / )/ac'][s/ma_ 0 / ; ]) A ac' 7 ^ 0 / 

{Substitution and definition of PBMH} 

^ -1 P[0/ac'][s/ma_„)fe] ^ 

= b {Lemma lL.C.6.2l } 

\ PBMH(P[das/isei(ac')/ac'])[s/ino'_ 0 fc] A ac' 7 ^ 0 / 

^ -iP[0/ac'][s/ma_J ^ 

= b 

\ PBMH(P)[das/isef(ac')/ac'][s/mo;_ 0 fc] A ac' 7 ^ 0 / 

{Assumption: P is PBMH-healthy} 

< -1 P[0/ac'][s/mcc_ ofe ] ^ 

= b 

\ P[das/jset(ac')/ac'][s/ma!_ 0 fc] A ac' 7 ^ 0 / 

^ -■ P[ 0 /ac'][s/ma_ ofc ] 

= b 

\ (P[0/ac'] [s/zna_ 0 fc]) V (P[das/isef(ac')/ac'][s/ma:_ 0 ( t] A ac' 7 - 0) / 

{Lemma IL.C.6.31} 

^ -iP[0/ac'][s/ma_ o J ^ 

= b 

\ (P[s/ma_ 0 fc] A ac' = 0) V (P[das/iset(ac')/ac'][s/mo:_ 0 ^] A ac' 7 ^ 0) / 

{Property of dashset} 

( -1 P[0/ac'][s/ma_„)fe] \ 

b 

/ (P[das/iset(ac')/ac'][s/ma_ 0 A:] A ac' = 0) \ 

V 

y \ (P[das/isef(ac')/ac'][s/ma:_ 0 fc] A ac' 7 ^ 0) / ) 


{Property of designs} 

\ 


{Predicate calculus} 
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( -i P[0/ac'][s/ma!_ ofe ] ^ 

= h 

\ P[das/jse£(ac')/ac'][s/ma!_ 0 fc] A ac' = 0 ) 
= pbmh2d(P ) 


{Definition of pbmh2d} 


□ 


C.6.3 Galois Connection and Isomorphism 

( d2pbmh and pbmh2d ) 

Theorem T.4.7.3 Provided P is PBMH -healthy, d2pbmh o pbmh2d(P) = P. 


Proof. 


d2pbmh o pbmh2d(P) {Definition of d2pbmh } 

= (-■ ( pbmh2d(P)Y => (pbmh2d(P)Y)[true/ok][undashset(ac) / ac'][Statejj (ina_ 0 k) / s] 

{Definition of pbmh2d and Lemmas |L.A.2.1l1 and [LA. 2.12 }- 

/ -i (ok => P[$/ac'][s/ina_ 0 kY) \ 


(ok A P[0/ac'][s/ma_ o fc]^) \ 


\ \ P[dashset(ac')/ac'}[s/ma- 0 kY) ) ) 


( -i P[0/ac'] [s/ 

/ (P[0/ac'][s/ma_ ofc ] / ) 


\ 


\ 


\ \ P[dashset(ac')/ac'][s/inoi-okY) ) ) 


( -i P[0/ac'][s/ma:_ ofe ] 
( (P[0/ac'] [s/ 




\ 


\ \ (P[das/iset(ac')/ac'][s/ma_ 0 jk]) / / 


[true/ok] [undashset(ac') / ac'] [S'tatejj (ma_ 


{Substitution} 


[imdas/isef (ac') / ac'] [S'fafejj ( inoi- 0 k ) / s] 


{oP not free in P} 


['undas/ise^ac') / ac'] [S'tate jj ( inat- 0 k ) / s] 


{Predicate calculus} 
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( -i P[0/ac'][s/ffla_„t] 


\ 


[undashset(ac') / ac '] [State jj (ina_ 0 k) / s] 


\ P[das/jsef(ac')/ac'][s/ma:_ 0 fc] / 

/ -i P[{D/ac'}[s/ina- ok }[Statejj (ina- 0 k)/s] 


{Substitution} 


\ P[dashset o wndas/isef(ac')/ac'][s/mcm 0 fc][5Wejj(«Yta:_ 0 fc)/,s] / 

{Property of dashset and undashset} 

/ -i P[(/)/ac'][s/ina_ 0 k}[Statejj(ina_ok)/s] \ 

=>- {Lemma IL.D.l.lOl } 

\ P[s/inoi- ok \[Stateii(inoi- ok )/s] ) 

(-1 P[0/ac'] =>- P) {Predicate calculus} 

P[0/ac'] V P {Assumption: P is PBMH-healthy and Lemma |L.E.2.2|} 

P 


□ 


Theorem T.4.7.4 Provided P is an A-healthy design, 
pbmh2d o d2pbmh(P ) C P 


Proof. 


pbmh2d o d2pbmh(P) {Lemma IL.C.6.41 } 

= (-. P / [0/ac'] A - P 4 [0/ac'] h (-. P f =► P 4 )) 

{Assumption: P is an A-healthy design} 

PBMH(P / ) b PBMH(P 4 ) A ac' ^ 0) / [0/ac / ] \ \ 

A 


\ (-. PBMH(P) h PBMH(P') A ac' / 0)'[0/ac'] / 


h 


PBMH(P) h PBMH(P') A ac' ^ 0)^ \ 


\ \ PBMH(P-f) h PBMH(P') A ac' ^ 0)* / / 

{Lemmas IL.A.2.111 and IL.A.2.121 } 
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( ( 

\ 

h 

/ 

V V 
( / 

V 

h 

/ 

V V 
/ / 

v 

h 

( 

V V 
/ / 

v 

h 

( 

V V 


(ok => PBMH(P7)/)[0/ ac '; 


\ 


A 




((ok A PBMH(P / ) i ) => (PBMH(P ! ) A ac' ± 0) t )[0/ac / ] ) 


(ok =*► PBMH(P7)/) 


\ 


((ok A PBMH(^)‘) => (PBMH(P) A ac' ± 0) 4 ) / / 

{ofc' not free} 

- (ok => PBMH(p7))[0/ ac '] \ \ 


A 


((oifc A - PBMH(P-f)) => (PBMH(F ! ) A ac' ± 0))[0/ac'] / 


(oifc =*► PBMH(P')) 


\ 


((ok A PBMH(P-f)) => (PBMH(P 4 ) A ac' ± 0)) / / 

{Substitution} 

- (ok => PBMH(p7)[0/ ac ']) \ \ 


A 


((ok A - PBMH(P-f)) =*► (PBMH(P ! ) [0/ac'] A 0 ^ 0)) / 


(oifc =*► PBMH(P / )) 


\ 


((ofc A - PBMH(P-f)) => (PBMH(i ,( ) A ac' ± 0)) / ) 

{Property of sets and predicate calculus} 
- (ok => PBMH(p7)[0/ ac ']) \ \ 


A 


(oifc A - PBMH(P / )) 


(ok =*► PBMH(PP)) 




\ 


((ok A PBMH(P-f)) => (PBMH(P) A ac' ± 0)) / ) 

{Predicate calculus} 
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( ( (ok A -i PBMHfP^P/ac']) \ 


A 


\ (ok A ^ PBMH(P / )) 




/ 


h 


( (ok A - PBMH(P^)) 


\ 


\ \ ((ok A - PBMH(P^)) =>• (PBMH(P ( ) A ad + 0)) / 

{Property of designs and predicate calculus} 
f (ok A -■ PBMH(P^)[0/oc 7 ]) \ \ 


A 


\ (ok A ^ PBMH(P^) 


7 


h 


\ PBMH(P) A ac' ^ 


/ 


{Property of designs and predicate calculus} 

/ PBMH(P- f )[0/ac'] A PBMH(^) \ 

= P {Weaken precondition} 

\ PBMH(P) A ad ± 0 ) 

□ (-. PBMH(P / ) h PBMH(P t ) A ad ± 0) {Definition of A} 

= A(-< P^ h P 1 ) {Assumption: P is an A-healthy design} 

= P 


□ 


Theorem T.4.7.5 Provided P is design that is A and H3-healthy, 
pbmh2d o d2pbmh(P) = P 


Proof. 

pbmh2d o d2pbmh(P) {Lemma IL.C.6.41 } 

= (-. P f [®/ad] A P*[0/oc'] h (-. P f =► P 4 )) 

{Assumption: P is an design that is A and H3-healthy} 
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/ ( (3 ac' • P f b PBMH(P) A ac' ^ 0) / [0/ac / ] \ 


A 




\ - (3 ac' • P f b PBMH(P) A ac' ^ 0)*[0/ac'] / 


b 


/ (3 ac' • Pf b PBMH(P) A ac' ^ 0) / \ 


\ \ (3 ac' • P f b PBMH(P) A ac' ^ 0) 4 / / 

{Lemmas IL.A.2.111 and II.. A.2. 121 } 

( ( * {ok =>• -i (3 ac' • -i -P-0'0 [0/ac'] \ \ 

A 


\ - {{ok A (3 ac' • POO =► (PBMH(P) A ac' ^ 0)0 [0/ac'] / 


b 


/ {ok => - (3 ac' • POO 




\ \ {{ok A (3 ac' • -1 POO => (PBMH(P0 A ac' ^ 0)0 / / 

{ ok' not free} 

( / —i (oA: —i 3 ac' • —> P^) [0/ac'] \ \ 


A 


\ - {{ok A (3 ac' • PO) =► (PBMH(P0 A ac' / 0))[0/ac'] / 


b 


{ok —i (3 ac' • * P'0) 


\ 


V V ((oifc A (3 ac' • PO) =>• (PBMH(P0 A ac' ^ 0)) / 

{Substitution} 

( ( —i (oA: —i 3 ac' • —> P-f) \ \ 


A 


\ - {{ok A 3 ac' • Pf) => (PBMH(P0 [0/ac'] A 0 ^ 0)) / 


b 


^ * {ok ~r- * (3 ac' • “i P-0) 


\ 


V V ((oifc A 3 ac' • -i PO => (PBMH(P0 A ac' ^ 0)) / / 

{Property of sets and predicate calculus} 
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i i * (ok — 7 * * 3 ac' • “i pf) \ 


A 


\ 


\ (ok A 3 ac' • -> P-^) / 


h 


/ —■ (o/j —i 3 ac' • —> pf) 


\ 


V V ((<>* A 3 ac' • -i P') => (PBMH(P) A ac' ^ 0)) / ) 


{Predicate calculus} 


/ ok A 3 ac' • pf 

h 

/ (ofc A 3 ac' • -i P-^) 


\ 




V V ((ok A 3 ac' • -i pf) =► (PBMH(P') A ac' ^ 0)) / / 

{Property of designs and predicate calculus} 

( ok A 3 ac' • -> Pf ^ 

P {Property of designs and predicate calculus} 

\ PBMH(P') A ac' ^ 0 

(3 ac' • P / h PBMH(P') A ac' ^ 0) {Definition of A and H3} 

A o H3(-i P-' h P*) {Assumption: P is an design that is A and H3-healthy} 
P 


□ 


Lemma L.C.6.2 Provided f is bijective, 


PBMH(P)[/(ac')/ac'] = PBMH (P[/(ac')/ac']) 


Proof. 

PBMH(P[/(ac')/ac']) {Definition of PBMH} 

= 3 aco • P[/(ac')/ac'][aco/ac'] A aco C ac' {Substitution} 

= 3 aco • P[/(aco)/ac'] A aco C ac' {Predicate calculus} 

= 3 aco • (3 aci • P[aci/ac'] A aci = f(aco)) A aco C ac' 

{Assumption: / is bijective} 

= 3 aco • (3 aci • P[aci/ac'] A / _1 (aci) = aco) A aco C ac' {One-point rule} 

= 3 aci • P[aci/ac'] A / _1 (aci) C ac' {Assumption: / is bijective} 
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= 3 aci • P[aci/ac'} A ac\ C f(ac') 

= (3 aci • P[aci/ac'} A aci C ac')[/(ac')/ac'] 
= PBMH(P)[/(ac')/ac'] 


{Substitution} 
{Definition of PBMH} 


□ 


Lemma L.C.6.3 P A ac' = 0 = P[0/ac'] A ac' = 


Proof. 

P A ac' = 0 

= 3 aco • P[aco/ac'] A ac' = aco A ac' - 
= 3 aco • P[aco/ac'] A ac' = 0 A ac' = 
= P[0/ac'l A ac' = 0 


{Predicate calculus and fresh variable} 
{Transitivity of equality} 
{One-point rule} 


B 


Lemma L.C.6.4 

pbmh2d o d2pbmh(P ) = (-< P^[0/ac'] A -> P 4 [0/ac'] b (-> P^ =>• P')) 


Proof. 


pbmh2d o d2pbmh(P) {Definition of pbmh2d} 

= (-i d2p&m/i(P)[0/ac'] b d2p&m/i(P)[das/iset(ac')/ac'])[s/ma_ 0 fc] 

{Definition of d2pbmh } 

/ -i (-i P^ => P') [true/ok] [undashset(ac') /ac'] [Ptatejj (ina_ 0 k) /s] [0/ac'] \ 


b 


[s/ina 


\ (-iPB P 4 )[trae/o/ l ;]['wndas/iset(ac')/ac'][Ptatejj(ma_ 0 A ; )/s][das/iset(ac')/ac'] j 

{Substitution} 

/ -i (-i P^ => P i )[tr«e/o/ l ;]['andas/iset(0)/ac'][Ptatejj(ma_ O A : )/s] \ 


b 


[s/mo!_ 0 fc] 


\ (iPB P*)[£rae/oA;][urec£as/ise£ o das/ise£(ac')/ac'][Pta£ejj(ma;_ 0 fc)/s] / 

{Lemma IL.D.l.llI } 


/ -■ (-i P-f => P^true/ok][undashset($)/ac'] ^ 

b 

\ (-i Pf =>■ P*)[£rae/oA;][un££as/ise£ o dashset(ac')/ac'] J 


{ok not free} 
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( -i (-1 P f => P^lundashset^) / ac'} ^ 

h 

\ P'^undashset o dashset(ac') / ac'] ) 

{Property of undashset and dashset} 


p/ =► P*)[0/ ac'] \ 

= h 

\hp f ^ n 

= (-. P / [0/ac'] A P 4 [0/ac'] b (nP^ P 4 )) 


{Substitution} 


□ 



Appendix D 

State Substitution Rules 


D.l State Substitution 


The substitution operator [s/Sa], where the boldface indicates that s is a record, is 
defined for an arbitrary set of variables Sa as follows. 


Definition 101 


P[z/Sa] = P[z.sq, .. .,z.s n /s 0 ,..., s n ] 


Each variable Sj in Sa is replaced with z.Si. As an example, we consider the sub¬ 
stitution {x' — 2 A ok')[s,z/ina_ 0 k, outa_ 0 k/\, whose result is z.x' = 2 A ok'. The 
substitution [z/5a] is well-formed whenever Sa is a subset of the record components 
of z. 


Lemma L.D.1.1 Provided that Aa D Ba = 0, Aa C Sa and Ba C Sa, 


P[z/Sa\ = P[z/Aa] [z/Ba\ 


Proof. Suppose: 

• Sa {^o, • • ■, s n ,..., s m }, Aa {so, ■ ■ ■, Ba ..., 

Then: 


P[z/Sa] {Definition 11011} 

D[z.So, • • • , Z.S n , • • • , S m /S q, • • • , S n , S ra _|_i, . • • , s m ] 

{Property of substitution} 

= P[z.s 0 ,z.s n /s 0 ,..., s n \[z.s n+ 1 ,..., s m /s n+ i, • • •, s m ] {Definition 1101]} 

= P[z/Aa][z/Ba] 


□ 
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Lemma L.D.1.2 Provided that Aa fl Ba = 0, Aa C Sa and Ba C Sa, 


P[ zj 5a] 


^ 3 2 a, 2 b • 5[zA/Ma][zB/5a] ^ 

A 

\ (/\ x : ^4a • 2 , 4 .x = z.x) A (/\ x : 5a • 2 b-X = 2 .x) / 


Proof. Suppose: 


• ScX {Sq, ... j S n , ■ • • , S m }, ^4a {Sq, ■ ■ ■ , S ra }, 5a {s n _|_ 4 , ■ ■ ■ , Sm} 


Then: 


^ 3 2 ^ : State(Aa), zb '■ State(Ba) • 5[zA/Ma] [zB/5a] ^ 

A 

\ ( f\ x : Aa • za-X = 2 .x) A (f\ x : 5a • 2 b.x = 2 .x) / 

( 3 2 a : State(Aa),ZB ■ State(Ba) • P[za/A a][z B /Ba] ^ 
A 

(■ ZA-Sq = Z.So A ... A Z A .S n = Z.S n ) 


{Predicate calculus} 


A 


{Definition 11011} 


7 


7 


\ (^B-Sn+l 2.S n _|-i A ... A ZB-Sm 2.S m ) 

^ 3 2 a : State(Aa),ZB ■ State(Ba) • \ 

P[z A .So, • • ■ , ZA-S n / So, ■ ■ ■ , S n ] [2B-Sn+1; ■ ■ • , Zb■ S m /S n + 4, • • • , S m ] 

A 

Oa-«0 = 2.S 0 A ... A 2a-S„ = Z.Sn) 

A 

y {zb- Sn+1 2.S ra -|_i A ... A ZB-S m Z.S m ) 

{Equality of records} 

^ 3 2 a : State(Aa),ZB : State(Ba) • \ 

5[2A.S 0 , • • • , ZA-Snj So, ■ ■ ■ , ®n] [^B-^n+lj ■ ■ • , ZB-S m / Sn+1, . . . , S m ] 

A 

2a = {so ^ 2.S 0 , . . . , S n 2.S„} 

A 

y 2 b {Sn+1 1 t 2.S n _|-l, ■ ■ ■ : Sm 1 t 2.S m } 

{One-point rule and substitution} 


7 
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= P 


So H* Z.Sq, 1 

I 1 

f So e-)- Z.Sq, 'j 

s n * y z>s n J 

> -So, • • • , < 

l " H f 

^ s n i y z.s n J 


•$n / ^ 0 ? • • • i 


^n+l 1 ^ Z>'Sn-\-li 1 

i j 

f ^n+1 1 ^ Z’Sn+li 1 

.... 

Sm 1 ^ %• S m J 

f -^n+l;■•■j > 

{ Sm | —^ Z.S m ) 


•Sm. / ^n+1? • • * j Sm 

{Record component} 


P\z.S o, . . . i Z.Snj So, • • • , Sn] [z~ Sn +1 , • • • , Z.S m / S n _|_i, . . . , S m ] 

= P[z/Aa][z/Ba] 

= P[z/Sa] 


{Definition 11011} 
{Lemma IL.D.l.ll} 


□ 


Lemma L.D.1.3 Provided z, y : State(Sa), 


P[z/Sa][y ® {si ^ e}/z\ = P[y/(Sa \ {s,-})][e/si] 


Proof. 

P[z/Sa\[y © {(-)■ e}/z] {Definition 11011} 

= P[z.s Q ,..., z.Si,..., z.s n /so ,..., Si,..., s n ][y © {s 4 - 1 —>• e}/z\ {Substitution} 

= P[(y © {si i->- e}).s 0 , ■ ■ ■, (y © {s,- e}).s u . .., (y © {s,- e}).s n /s 0 ,..., s<,..., s n 

{Property of record components} 

= P[y.s 0 ,..., e,... , y.s n /s 0 ,..., s u ..., s„] {Property of substitution} 

= P[y.s 0 ,..., y.s n f s 0 ,..., s n ] [e/s,-] {Definition [101]} 

= ^[y/('?«\{s i })][e/s i ] 


□ 


Lemma L.D.1.4 Provided z, y : State(Sa) and Si not free in e, 


P[z/Sa][y ® {si ^ e}/z\ = P[e/sf\[y/(Sa)\ 


Proof. 

P[z/Sa\[y © {i— y e}/z] {Definition 11011} 

= P[z.s 0 ,..., z.Si , • • •, z.s n /s 0 ,... , Si,..., s n \[y © {s* i-» e}/z] {Substitution} 
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= P[{y © {s; e}).s 0 , • ■ •, {y © {s* i-> e}).Si ,..., (y © {s,- ^ e}).s„/s 0 ,..., s<,..., s n 

{Property of record components} 

= P[y.s 0 ,..., e,..., y.sj s 0 , • • •, ■ ■ ■, s n \ {Property of substitution} 

= P[e/Si\[y.s 0 ,..., y.s n /s 0 ,..., s„] {Substitution: s t - not free in e} 

= P[e/si\[z.s 0 ,..., z.s u ..., z.s n /s 0 ,..., s u ..., s n ] {Definition |101]} 

= P[e/si}[y/Sa] 


□ 


Lemma L.D.1.5 Provided s,- e Sa, 


P[e/si][z/Sa] = P[z/Sa \ {s 4 -}] [e[z/Sa\/si] 


Proof. 

P[ef Si\[z/Sa\ {Definition 11011} 

= P[e/si][z.So, ...,z.Si,..., z.s n /sQ ,..., s h ..., s n ] 

{Substitution: s* not free in P} 

= P[z.s 0 ,..., z.s n /S q, ..., s„][e[z.So, • • •, z.s u ..., z.s n /s 0 , ■ ■ ■, s t ,..., s n ]/sf\ 

{Definition 11011} 

= P[z/Sa \ {si}][e[z/Sa]/Sj\ 

□ 

Lemma L.D.1.6 P[z/(Sa U Ta)\ = P[z/Sa][z/Ta] 

Proof. 

P[z/(Sa U Ta)\ {Definition 11011} 

= P[z.sq, z.to,..., z.s n , z.t n /s' Q , tf ..., s' n , t' n \ {Substitution} 

= P[z.s 0 ,..., z.s n /s' 0 ,..., s' n ][z.t 0 ,..., z.t n /t ' 0 , ...,t' n ] {Definition 11011} 

= P[z/Sa][z/ Ta] 

□ 

Lemma L.D.1.7 


P[eo,...,e n /xo,...,x n ][z/Sa] 
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P[z/(Sa \ Ta)][e 0 [z/Ta],..., e n [z/Ta]/xo, ...,x n ] 


Provided that: 

1. Ta C Sa 

2. Ta = {xo,..., x n } 

3. V y • y G (Sa \ Ta) =>■ y £ /x(e 0 ,..., e n ) 
Proof. 


P[e o, ■ • •, e n /xo ,.. .,x n \[z/Sa] 

= P[e 0 ,..., e n /x 0 ,.. .,x n ][z/(Sa \Ta)0 Ta] 

= P[e 0 ,..., e n /x 0 ,..., x n ][z/ (Sa\ Ta)][z/Ta\ 
= P[zf (Sa \ Ta)][e 0 ,..., e n /X q, ... ,x n ][z/ Ta] 
= P[zj (Sa \ Ta)][e 0 [z/Ta],...,e n [z/Ta]/x 0 ,. 


{Property of sets} 
{Lemma IL.D.1.61} 
{Substitution: Assumption 1} 
{Substitution} 


{Property of substitution} 

= P[z/(Sa \ Ta)][z/Ta\[Ta/z\[e 0 [z/Ta},..., e n [z/Ta ]/x 0 , ...,x n ] 

{Lemma IL.D.1.61} 

= P[z/(Sa \ Ta) U Ta][Ta/z][e 0 [z/Ta],..., e n [z/Ta]/x 0 ,..., x n ] 

{Property of sets} 

= P[z/Sa][Ta/z][eo[z/ Ta],..., e n [z/ Ta ]/xq, ... ,x n ] {Definition} 

= P[z/Sa][xo,..., xjz.x,..., z.n][eo[z/Ta ],..., e n [z/Ta]/x 0 , ...,x n ] 

{Property of substitution} 

= P[z/Sa] [e 0 [z/ Ta],..., e n [z/ Ta]/z.x,..., z.n] {Definition} 


= P[z/Sa]\eo\zj Ta],..., e n [z/ Ta]/z.x,..., z.n] 


Definition 140 For Sa = {xq, ..., x n }, 


□ 


Statejj(Sa) A {x 0 i—>• Xq, ..., x n (->■ x n } 


Lemma L.D.1.8 Statexj(Sa)' = {xg t-)- xq , ..., x' n H > x n } 
Proof. 


State jj ( Sa)' 


{Definition of Statejj(Sa)} 
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= ({xg (->• xo ,..., x' n x n })' {Definition of ' on State } 

= {x' 0 ^ x 0 ,..., x' n ^ x n } 

□ 


Lemma L.D.1.9 

3 z : State(Sa) • P A : S'a • z.x = x) = F[S'fafejj(S'o;)/z] 

Proof. 

3 z : State(Sa) • P A (/\ x : Sa • z.x = x) {Equality of records} 

= 3 z : State(Sa) • P A z = {a<) (->• xo,. .., x n i->- x n } {Definition of State jj} 

= 3 z : State(Sa) • P A Statejj(Sa) = z {One-point rule} 

= P[Stateji{Sa) / z] 

□ 


Lemma L.D.1.10 Provided z is not free in P, 
P[z/Sa][Statejj(Sa)/z] = P 


Proof. 

P[z/Sa\[Statejj(Sa)/z] {Definition of state substitution} 

= P[z.x o,..., z.x n /x o,..., x n \[Stateji(Sa)/z] {Definition of State jj(Sa)} 

= P[z.Xq, z.x n /x o, ■ ■ ■, x n ] [{^o H- xo,..., x n x n }/z) 

{Substitution: z is not free in P} 

= P[{Xo H- X 0 , . ■ ■ , x n !->■ X n }.X 0 , ...,{Xo^AX 0 ,...,X n \-A X n }.X n /Xo, . . . , X n \ 

{Value of state component} 

= P[x 0 ,..., x n /xo ,..., x n ] {Property of substitution} 

= P 


□ 


Lemma L.D.1.11 Provided none of the varihles in Sa are free in P, 


P[Statejj(Sa)f z][zf Sa] = P 
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Proof. 

P[Statejj(Sa)/z][z/Sa] {Definition of Statejj(Sa) and state substitution} 

= P[{x 0 H- xo,..., x n x n }/z][z.x 0 ,..., z.x n /x 0 ,..., x n \ 

{Substitution: x, f fv(P)} 

= P[{x 0 z.Xq, ,.., x n (->• z.x n } / z] {Equality of records} 

= P[z/z\ {Property of substitution} 

= P 


□ 

Lemma L.D.1.12 Provided x, e Sa and x* is not free in P nor in e, 
P[Statejj(Sa)/z][e/xi\ = P\z (B X{ i-» e}/z][Statejj(Sa)/z] 


Proof. 

P[Statejj(Sa)/z][e/xi\ {Definition of Statejj(Sa)} 

= P[{x 0 1 t xqj ..., i y X{,..., x n i y x n }/z\ [e/x,-] 

{Substitution: Xi not free in P} 
= P[{x 0 i —y Xo,..., Xj i —y e,..., x n (->■ x n }/z] {Property of sets} 

= P[{xo e-> Xo,..., Xj i—> x,-,..., x n i—>• x n } © {xj e-> e}/z] 

{Definition of Statejj(Sa)} 
= P[S'tafejj (S'a) © {x, (->• e}/z] {Substitution} 

= P[z © {xj (->■ e}/z][5'fafejj(S'a)/z] 


□ 


D.2 dash and undash 

Definition 141 

dash(z) = {x : Sa, e | (x (->• e) e z • x' (->• e} 
undash(z) = {x : Sa, e \ (x 1 (->• e) G z • x H» e} 

The function das/i considers every pair (x, e) in z, where x is a variable name and e 
the corresponding expression or value associated with x, and dashes the name of x 
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into x'. Function undash is similar except for the undash of x' to x. 

Lemma L.D.2.1 dash(z).x' = z.x 
Proof. 

dash(z).x' {Definition of dash} 

= {y : Sa, e \ (y i-» e) e z • y' i-> e}.x' {Value of record component x'} 

= {y : Sa, e \ (y e) e z}.x' {Definition of record} 

= z.x 


□ 


Lemma L.D.2.2 undash(z).x = z.x' 
Proof. 


undash(z).x 

= {y : Sa, e \ (y' H > e) G z • y e->■ ej.x 
= {y : Sa,e\ ( y' ^ e) G z}.x' 

= z.x' 


{Definition of undash} 
{Value of record component x'} 
{Definition of record} 


□ 

Lemma L.D.2.3 undash o dash(z) = z 
Proof. 


undash o dash(z) {Definition of undash} 

= {yo : Sa, eo | (y' 0 i-> eo) e dash(z) • yo eo} {Dehnition of dash} 

(y' 0 i —y e 0 ) e {x : Sa, e \ (x (->• e) e z • x' (->■ e} 


= < y 0 ■■ Sa, e 0 


= < yo ■ Sa, e 0 


• yo e 0 

3 i, c • (i 4 e) G z A ( 3 / 4 e) = (j/ 0 4 e 0 ) 

• yo e 0 


= < 2/o : Sa, e 0 


3i,e«(i4e)6zA(i4e) = (i/o4 eo) 

• yo '-t e 0 

= {y 0 : Sa, e 0 \ (y 0 e 0 ) e 2 • yo e 0 } 


{Property of sets} 

{Undash variables} 
{One-point rule} 
{Property of sets} 
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= { 2/0 : Sa, e 0 | (y 0 ^ e 0 ) G z} {Property of sets} 

= z 


□ 


Lemma L.D.2.4 dash o undash(z) = z 
Proof. 


dash o undash(z) {Definition of dash} 

= {yo : 5a, eo j (yo ^ eo) G undash(z) • y' 0 t->- eo} {Definition of undash} 

(yo H> eo) G {a; : 5a, e | (x 7 H» e) G z • x H» e} 

• Vo e 0 


= < y 0 : £«, e 0 


= < y 0 : 5a, e 0 


= < y 0 : Sa, e 0 


3 x, e • (V H» e) G z A (x H» e) = (yo H» eo) 

• yo e 0 

3 x, e • (a/ i-> e) G z A (V (->• e) = (y(, (->• eo) 

• yo e 0 


= {y 0 : 5a, e 0 | (y’ 0 H- e 0 ) G 2 • y' 0 H- e 0 } 
= {y 0 : Sa, e 0 | (y(, eG e 0 ) G z} 


{Property of sets} 


{Dash variables} 


{One-point rule} 
{Property of sets} 
{Property of sets} 


= z 


□ 


Lemma L.D.2.5 Provided y is fresh, 

3z • P A undash(z) G ac! = 3 y • P[dash(y)/z] A y G ac! 


Proof. 


3 z • P A undash(z) G ac' 

= 3 z, y»FAyGac' Ay = undash(z) 

= 3 z, y • P A y G ac' A dash(y) = dash o undash(z) 
= 3 z, y • P A y G ac' A dash(y) = z 
= 3 y • P[dash(y)/z] A y £ ac' 


{Introduce fresh variable} 
{Property of dash} 
{dash o undash(z) = z} 
{One-point rule} 
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Appendix E 
PBMH 


E.l Definition 


Definition 88 


PBMH(P) = P ; ac C ac' A ok' 


ok 


E.2 Properties 

Lemma L.E.2.1 P^PBMH(P) 

Proof. 


P 

= 3 aco • P[aco/ac'} A aco = ac' 
=>■ 3 aco • P[aco/ac') A aco C ac 

= PBMH (P) 


{Predicate calculus} 
{Property of sets} 


{Definition of PBMH (Lemma L.4.2.1)} 


□ 

Theorem T.E.2.1 PBMH o PBMH(P) = PBMH(P) 

Proof. 

PBMH o PBMH (P) {Definition of PBMH} 

= PBMH(P ; ac C ac' A v — v) {Definition of PBMH} 

= ((P ; ac C ac' A v' = v) ; ac C ac' A v’ — v) 

{Associativity of sequential composition} 

= ( P ; (ac C ac' A v' = v ; ac C ac' A v' — v)) 

{Definition of sequential composition} 
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= (P ; (3 ac 0 • ac C ac 0 A ac 0 C ac')) 
= (P ; ac C ac') 

= (P ; ac C ac' A v' = v) 

= PBMH(P) 


{Transitivity of subset inclusion} 
{Definition of sequential composition} 
{Definition of PBMH} 


□ 


Theorem T.E.2.2 PBMH(P V Q) = PBMH(P) V PBMH(Q) 


Proof. 


PBMH(P V Q) {Definition of PBMH (Lemma [PUT} } 

= 3 ac 0 • (P V <5)[aco/ac'] A ac 0 C ac' {Property of substition} 

= 3 aco • (P[aco/ac'j V <5[aco/ac']) A aco C ac {Predicate calculus} 

= 3 aco • (P[aco/ac'j A aco C ac') V (Q[aco/ac'] A aco C ac') 

{Predicate calculus} 

/ (3 aco • .P[aco/ac'] A aco C ac') \ 

= V 

\ (3 ac 0 • Q[ac 0 /ac'] A ac 0 C ac') / 

= PBMH(P) V PBMH(Q) 


{Definition of PBMH (Lemma L.4.2.1)} 


□ 


Lemma L.E.2.2 Provided P satisfies PBMH, P[0/ac'] V P = P 
Proof. 

P[0/ac'] V P {Assumption: P is PBMH-healthy} 

= (P ; ac C ac')[0/ac'] V (P ; ac C ac') {Substitution} 

= (P ; ac C 0) v (P ; ac C ac') 

{Distributivity of sequential composition w.r.t. disjunction} 

= P ; (ac C 0 V ac C ac') {Property of subset inclusion} 

— P ] (ac C ac') {Assumption: P is PBMH-healthy} 

= P 


□ 
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E.3 Closure Properties 

Lemma L.E.3.1 Provided P and Q satisfy PBMH, 
PBMH(P A Q) = PBMH(P) A PBMH(Q) 


Proof. 


PBMH(P A Q ) 

{Assumption: P and Q are PBMH-hcalthy and Theorem T.E.3.1 } 
= PBMH(P) A PBMH(<5) 


□ 


Lemma L.E.3.2 PBMH(P A Q) => PBMH(P) A PBMH(<5) 


Proof. 


PBMH(P A Q) {Definition of PBMH (Lemma IPX!] )} 

= 3 ac 0 • (PA Q)[aco/ac'] A ac 0 C ac' {Substitution} 

= 3 aco • P[aco/ac') A Q[aco/ac) A aco C ac {Predicate calculus} 

/ (3 aco • P[aco/ac'] A aco C ac') \ 

=> A 

\ (3 ac 0 • <3[aco/ac'] A ac 0 C ac') ) 

= PBMH (P) A PBMH(Q) 


{Definition of PBMH (Lemma L.4.2.1)} 


□ 


Theorem T.E.3.1 Provided P and Q are PBMH -healthy, 
PBMH [P A Q) = P A Q 


Proof. 


PBMH(P A Q) {Assumption: P and Q are PBMH-healthy} 

= PBMH(PBMH(P) A PBMH(Q)) 


{Definition of PBMH (Lemma L.4.2.1)} 








456 


APPENDIX E. PBMH 


= 3 ac 0 • (PBMH(P) A PBMH(<5))[aco/ac'] A ac 0 C ac' 


= 3 ac 0 


= 3 aco 


= 3 acg 


{Definition of PBMH (Lemma L.4.2.1)} 

/ (3 ac 0 • P[ac 0 /ac'} A ac 0 C ac') \ 

A [aco/ac'j A ac 0 C ac' 

{Variable renaming} 
[aco/ac'j A aco C ac 

{Substitution} 

A ac 0 C ac' 

{Predicate calculus} 


\ (3 aco • Q[aco/ac'] A aco C ac') / 

/ (3 aci • P[aci/ac'] A aci C ac') \ 

A 

\ (3 ac 2 • <5[aci/ac'] A ac 2 C ac') / 

/ (3 aci • P[aci/ac'] A aci C ac 0 ) \ 

A 

\ (3 ac 2 • <5[ac 2 /ac'] A ac 2 C aco) / 


/ (3 aci • P[aci/ac'] A aci C ac') \ 


A 


\ (3 ac 2 • Q[ac 2 /ac'] A ac 2 C ac') J 

{Definition of PBMH (Lemma |L.4.2. 3} 
PBMH(P) A PBMH( Q) {Assumption: P and Q are PBMH-healthy} 

PAQ 


□ 


Theorem T.E.3.2 Provided P and Q satisfy PBMH, 
PBMH(P V Q) = P V Q 


Proof. 

PBMH(P V Q) {Tlieorem IT.E.2.21 } 

= PBMH(P) V PBMH( Q) {Assumption: P and Q satisfy PBMH} 

= py Q 

□ 
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E.4 Lemmas 

Lemma L.4.2.1 PBMH(P) = 3 aco • P[aco/ac'] A aco C ad 
Proof. 

PBMH(P) {Definition of PBMH} 

= P ; ac C. ad A d = v {Definition of sequential composition} 

= 3 aco, vq • P[aco, vq/ ad , ?/] A aco C ad A v' — vq {One-point rule} 

= 3 aco • Pfaco/ac'] A aco C ad 


□ 


Lemma L.E.4.1 PBMH(trae) = true 
Proof. 


PBMH(i rue) 

= 3 ac 0 • true[ac 0 /ad] A ac 0 C ac' 


{Definition of PBMH (Lemma L.4.2.1)} 


{Property of substitution and predicate calculus} 


= true 


□ 


Lemma L.E.4.2 PBMH(/ake) = false 
Proof. 


PBMH (false) 

= 3 ac 0 • false[ac 0 /ad] A ac 0 C ad 
= false 


{Definition of PBMH (Lemma L.4.2.1)} 
{Substitution and predicate calculus} 


□ 


Lemma L.E.4.3 PBMH(s G ad) = s E ad 

Proof. 


PBMH(> E ad) 

= 3 aco • (s E ac')[aco/ad] A aco C ad 
= 3 ac 0 • s E ac 0 A ac 0 C ac' 


{Definition of PBMH (Lemma L.4.2.1)} 

{Substitution} 
{Property of sets} 
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= s e ac' 


□ 


Lemma L.E.4.4 PBMH(ac' 7 ^ 0) = ac' 7 ^ 0 


Proof. 

PBMHfac' 7 ^ 0) 

= 3 ac 0 • ac 0 7 ^ 0 A ac 0 C ac' 

= ac/ 7^ 0 


{Definition of PBMH (Lemma L.4.2.1)} 


{Property of sets (Lemma L.1.0.15)} 


□ 


Lemma L.E.4.5 Provided ac' is not free in P, PBMH(P) = P. 


Proof. 


PBMH(P) 

= 3 aco • P[aco/ac'} A aco 
= P A 3 aco • aco C ac' 


{Definition of PBMH (Lemma L.4.2.1)} 


/— / 

C ac 

{Assumption: ac' not free in P and predicate calculus} 

{Case-analysis on aco} 


= P 


□ 

Lemma L.E.4.6 Provided c is a condition, PBMH(c) = c. 

Proof. 

PBMH(c) {Definition of PBMH (Lemma 

= 3 aco • c[aco/ac'] A aco C ac' 

{Assumption: c is a condition, hence ac' is not free} 

= 3 aco • c A aco C ac' {Predicate calculus} 

= c 


L.4.2.1)} 


□ 


Lemma L.E.4.7 PBMH( x G ac') = x E ac' 
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Proof. 

PBMH(i G ac') {Lemma IL.4.2.11} 

= 3 ac 0 • x G ac 0 A ac 0 C ac' {Predicate calculus} 

= x G ac' 


□ 

Lemma L.E.4.8 Provided ac' is not free in c, PBMH(c A P) = c A PBMH(P) 
Proof. 

PBMH(c A P) {Lemma IL.4.2.11} 

= 3 aco • (c A P)[aco/ac / ] A aco C ac' 

{Assumption: c is a condition, hence ac' is not free} 

= 3 aco • c A P[aco/ac'] A aco C ac' {Predicate calculus} 

= c A 3 aco • P[aco/ac'] A aco C ac' {Lemma IL.4.2.11} 

= c A PBMH(P) 

□ 

Lemma L.E.4.9 Provided ac' is not free in c, 

PBMH(P < c> Q) = PBMH(P) < c> PBMH( Q) 


Proof. 

PBMH(P < c> Q) 

= PBMH((c A P) V (-. c A Q)) 

= PBMH(c A P) V PBMH(-< c A Q) 

= (c A PBMH(P)) V(ncA PBMH(Q)) 
= PBMH(P) < c> PBMH(Q) 


{Definition of conditional} 
{Distributivity of PBMH} 
{Lemma IL.E.4.81} 
{Definition of conditional} 


□ 


Lemma L.E.4.10 Provided ac' is not free in e, 
PBMH {3y y G ac' A e) = 3 y • y G ac' A e 
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Proof. 


PBMH(3 y • y e ac' A 
= 3 ac 0 • (3 y • y e ac' 


e) {Definition of PBMH (Lemma L.4.2.1)} 

A e)[ac 0 /ac'] A ac 0 C ac' 


{Substitution: ac' not free in e} 
= 3 ac 0 • (3 y • y e ac 0 A e) A ac 0 C ac' {Property of sets} 

= 3j/»j/eac'Ae 


□ 


Lemma L.E.4.11 

(P A ac' ^ (/}) ; A (Q A ac' ^ 0) 

(P A ac' 7 ^ 0) ;’_4 {Q A ac' 7 ^ 0)) A ac' 7 ^ 0 


Proof. 


(P A ac' 7 ^ 0) (Q A ac' 7 ^ 0) 


= (P A ac' 7 ^ 0)[{z | Q A ac' 7 ^ 0)[^/s]}/ac'] 
= (P A ac' 7 ^ 0)[{z | <5 [V s ] A ac' 7 ^ 0}/ac'] 

( P[{z | Q[V S ] A ac' 7 ^ 0}/ac'] ^ 

= A 

\ {z | <5 [V s ] A ac' 7 ^ 0} 7 ^ 0 / 

( P[{z | <5 [V s ] A ac' 7 ^ 0}/ac'] ^ 

= A 

^ 3z • z <E {z \ Q[z/ s] A ac' 7 ^ 0} / 

( P[{z | <5 [V s ] A ac' 7 ^ 0 }/ac'] ^ 

= A 


{Definition of ;^} 
{Substitution} 
{Substitution} 

{Propositional calculus} 


{Property of sets} 


\ 3 z • Q\zj s] A acV 0 / 

{Predicate calculus: quantifier scope and duplicate term} 


( P[{z | Q[z/s] A ac' 7 ^ 0}/ac'] ^ 
A 

\ (3z • <5[V S ] A ac' 7 ^ 0) / 


A ac' 7 ^ 0 


{Property of sets} 
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( P[{z | Q[z/s\ A ad 7 ^ 0}/ac'] ^ 
A 

\ {z I Q{z/s\ A ad 7 ^ 0} ^ 0 / 


A ad 7 ^ 0 


{Re-introduce ac' and substitution} 


= ((P A ad ^ 0)[{z | <5[^/s] A ad ^ 0} /ad}) A ad ^ 0 {Substitution} 

= ((P A ac' 7 ^ 0)[{z | (<5 A ac' 7 ^ 0)[z/s]}/ac']) A ad 7 ^ 0 {Definition of ;^} 

= ((P A ac' 7 ^ 0) (Q A ac' 7 ^ 0)) A ad 7 ^ 0 


□ 


Lemma L.E.4.12 PBMH(P ; ac = 0) = P ; ac = 


Proof. 


PBMH(P ; ac = 0) {Definition of PBMH} 

= (P ] ac = (/})] ac C ad A v' = v {Associativity of sequential composition} 

= P ; (ac = 0 ; ac C ac' A v' = v) {Definition of sequential composition} 

= P ; (3 ac 0 , v 0 • ac = 0 A ac 0 C ac' A v' — c 0 ) {One-point rule} 

= P ; (3 ac 0 • ac = 0 A ac 0 C ac') {Propositional calculus} 

= P ; (ac = 0 A 3 aco • aco C ac') {Choose aco = 0} 

= P ; (ac = 0 A true) {Propositional calculus} 

= P ; ac = 0 


□ 


Lemma L.E.4.13 Provided ac\ is not free in F(x), 

3 aci • (Vine aco =>■ P(x) G aci) A aci C ac' 

V a; • x G ac 0 =>■ P(x) G ac' 

Proof. (Implication) 

{Predicate calculus} 
{Predicate calculus} 
aci C ac') 

{Predicate calculus} 


3 ac\ • (V 1 • 1 G aco => P(x) G aci) A aci C ac' 

Va; • 3 aci »(iG aco =>■ P(x) G aci) A aci C ac' 

= V x • 3 aci • (x ^ aco A aci C ac') V (F(x) G aci A 
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= V x • (3 oci • x ^ ac 0 A aci C ac' ) V (3 aci • P(x) G aci A ac\ C ac') 

{Predicate calculus} 


= V x • (x ^ ac 0 ) V (3 aci • P(x) G aci A aci C ac') 

{Assumption: aci not free in F(x) and predicate calculus} 

= V x • x ^ ac 0 V P(x) G ac’ {Predicate calculus} 

= V x • x G ac 0 =>• P(x) G ac' 


□ 


Proof. (Reverse implication) 

V x • x G ac 0 =>• /(a) G ac' {Introduce fresh variable} 

= 3 aci • (Vx • x E ac 0 =>• /(x) G aci) A aci = ac' {Predicate calculus} 

=>■ 3 aci • (V x • x G ac 0 =>■ /(x) G aci) A aci C ac' 


□ 


Lemma L.E.4.14 PC [{ac' | Q} C {ac' | P}] 

Proof. 

P E Q {Definition of C} 

^ [Q =>■ P] {Universal quantification} 

-v^> V ac', oh', ok, s • Q P {Property of sets} 

-v^> V ac', ok' , oh, s • ac' G {ac' | <3} =>■ ac' G {ac' | P} {Property of sets} 

V ac', oh', ok, s • {ac' | Q} C {ac' | P} {Universal quantification} 

[{ac | Q} C {ac' | P}] 


□ 


Lemma L.E.4.15 PBMH(P) 3 ac' • P 

Proof. 


PBMH(P) 

= 3 aco • P[aco/ac'] A aco C ac' 
=> (3 aco • P[aco/ac']) A (3 aco • 
= 3 ac 0 • P[ac 0 /ac) 


{Definition of PBMH (Lemma |L.4.2. 3} 
{Predicate calculus} 
aco C ac') {Property of sets} 

{Predicate calculus} 
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= 3 ac' • P 


□ 


Lemma L.E.4.16 PBMH(P) ; A true = 3 ac' • P 


Proof. 


PBMH(P) ] A true 

= (3 ac 0 • P[ac 0 /ac'] A ac 0 C ac') ] A true 
= 3 ac 0 • P[ac 0 /ac'] A ac 0 C {s | true} 

= 3 aco • P[aco/ac'] 

= 3 ac • P 


{Definition of PBMH (Lemma L.4.2.1)} 
{Definition of ] A and substitution} 
{Property of sets} 
{Predicate calculus} 


□ 


E.5 Substitution Lemmas 

Lemma L.E.5.1 PBMH(P)“ = PBMH(P°) 


Proof. 


PBMH(P)" {Definition of PBMH (Lenmia |LX2d| )} 

= (3 aco • P[aco/ac ] A aco C ac')° w {Substitution abbreviation} 

= (3 aco • P[aco/ac } A aco C ac')[o , s © {wait (->• w}/ok', s] {Substitution} 

= 3 ac 0 • P[aco/ac'] [o, s © {wait h -> w}/ok', s] A ac 0 C ac' {Substitution} 

= 3 ac 0 • P[o, s© {wait i—> w}/ok', s][ac 0 /ac'] A ac 0 C ac’ 

{Substitution abbreviation} 

= 3 aco • P°[aco/ac'] A aco C ac' {Definition of PBMH (Lemma L.4.2.1)} 

= PBMH(P°) 


□ 


Lemma L.E.5.2 Provided ac' is not free in e, 


PBMH(P)[e/s] = PBMH(P[e/s]) 
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Proof. 


PBMH(P)[e/s] {Definition of PBMH (Lemma 

= (3 ac 0 • P[ac 0 /ac'] A ac 0 C ac')[e/s] {Property of substitution} 

= (3 ac 0 • P[aco/ac'][e/s] A ac 0 C ac') 

{Property of substitution: ac' not free in e and ac 0 is fresh} 

= (3 ac 0 • P[e/s\[aco/ac'] A ac 0 C ac') 


{Definition of PBMH (Lemma L.4.2.1)} 


= PBMH(P[e/s]) 


□ 


Lemma L.E.5.3 Provided x is not ac ', PBMH(3s • P) = 3 a; • PBMH(x) 


Proof. 


PBMH(3i • P ) {Definition of PBMH (Lemma L.4.2.1)} 

= 3 ac 0 • (3x • P)[ac 0 /ac'] A ac 0 C ac' {Assumption: x is not ac'} 

= 3 ac 0 • (3x • P[ac 0 /ac']) A ac 0 C ac' {Predicate calculus} 

= 3 ac 0 • (3x • P[ac 0 /ac'] A ac 0 C ac') {Predicate calculus} 

= 3 x • (3 aco • P[aco/ac'] A aco C ac') 


{Definition of PBMH (Lemma L.4.2.1)} 


= 3x • PBMH(P) 


□ 


Lemma L.E.5.4 Provided P is PBMH -healthy, 


PBMH(P[{ 2 /} n ac'/ac']) = PBMH(P)[{ 2 /} n ac'/ac '] 


Proof. 


PBMH(P[{i/} D ac'/ac']) {Definition of PBMH (Lemma L.4.2.1)} 

= 3 aco • P[{y} fl ac'/ac'][aco/ac'] A aco C ac' {Substitution} 

= 3 aco • P[{y} H aco/ac'] A aco C ac' {Assumption: P is PBMH-healthy} 

= 3 aco • (3 aci • P[aci/ac'] A aci C ac')[{y} fl aco/ac'] A aco C ac' 


{Substitution} 









E.6. PROPERTIES WITH RESPECT TO DESIGNS 


465 


= 3 ac 0 • (3 ac\ • P[ac\jad] A aci C { y } D ac 0 ) A ac 0 C ad 

= 3 ac 0 , aci • P[aci/ac 7 ] A aci C {?/} D ac 0 A ac 0 C ad 

= 3 ac 0 , aci • P[ac\/ad] A aci C {?/} A aci C ac 0 A ac 0 C ad 

— 3 aci • F[aci/ac'] A aci C {?/} A aci C ac' 

= 3 aci • P[ac\/ad] A aci C {y} n ad 

= (3 aci • P[ac\/ad] A aci C ac')[{?/} D ad/ad] 


{Predicate calculus} 
{Property of sets} 
{Property of sets} 
{Property of sets} 
{Substitution} 


{Definition of PBMH (Lemma L.4.2.1)} 


= PBMH(P)[{j/} n ad/ad] 


□ 


Lemma L.E.5.5 

PBMH (P)[o/ok] = PBMH(P[o/ ok]) 


Proof. 


PBMH (P)[o/ok] 

= (3 aco • P[aco/ac] A aco C ad)[o/ok] 
= 3 aco • P[o/ok][aco/ad] A aco C ad 
= PBMH(P[o/ ok]) 


{Definition of PBMH (Lemma L.4.2.1)} 

{Substitution} 


{Definition of PBMH (Lemma L.4.2.1)} 


□ 


E.6 Properties with respect to Designs 

Lemma L.4.2.2 PBMH(P b Q) = (-. PBMH(-i P) h PBMHf Q)) 

Proof. 

PBMH(P h Q) {Definition of design} 

= PBMH((of A P) =>■ (Q A ok 1 )) {Predicate calculus} 

= PBMH(-i ok V -i P V (Q A ok')) {Theorem IT. E.2. 21 } 

= PBMH(n ok) V PBMH(-i P) V PBMH( Q A ok') {Lemma IO!X6l } 

= -. ok V PBMH(-> P) V PBMH(<2 A ok') {Lemma IL.E.4.81} 

= -i ok\/ PBMH(-i P) V (PBMH( Q) A ok') {Predicate calculus} 
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= (ok A - PBMH(-> P)) =* (PBMH(Q) A ok') {Definition of design} 

= (-. PBMH(-i P) h PBMH(Q)) 

□ 

Lemma L.E.6.1 J ; (ac C ac! A ok! = ok) = (ac C ac! A ok! = ok) ; J 
Proof. 

J ; (ac C ac' A ok' = ok) {Definition of J} 

= (ac' = ac A ofc =>• o&') ; (ac C ac' A ok' = ofc) 

{Definition of sequential composition} 

= 3 aco, oko • aco = ac A (ofc ofco) A aco C ac' A ok' = o&o {One-point rule} 

= (ok =>■ ofc') A ac C ac' {One-point rule} 

= 3 ac 0 , o&o • ac C ac 0 A ok 0 = ok A ac' = ac 0 A o/co =>- ok' 

{Definition of sequential composition} 

= (ac C ac' A ofc' = ofc) ; (ac' = ac A ok ok') {Definition of J} 

= (ac C ac' A o/c' = ok) ; J 


□ 


Lemma L.E.6.2 PBMH(^ PBMH(-i P) h Q) = PBMH(P h Q) 

Proof. 

PBMH(-i PBMH(-i P) h Q) {Definition of design} 

= PBMH((ofc A -n PBMH(-i P)) =>• (Q A ok')) {Predicate calculus} 

= PBMH(-i ok V PBMH(-i P) V (Q A ok')) {Theorems IT.E.2.11 and IT.E.2.21 1 
= PBMH(-i ok V -i P V (Q A ofc')) {Predicate calculus} 

= PBMH((oi A P) =>• (<J A o&')) {Definition of design} 

= PBMH(P h Q) 


□ 


Theorem T.E.6.1 H2 o PBMH(P) = PBMH o H2(P) 

Proof. 


H2 o PBMH(P) 


{Definition of H2 (J-split)} 
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= PBMH(P) ; J 
— (P ; ac C ac' A ok' = ok) ; J 
= P ; ((ac C ac' A ok' = ofc) ; J) 
= P ; (J ; (ac C ac' A ok' = ofc)) 
= (P ; J) ; (ac C ac' A ok' = ofc) 
= PBMH(P ; J) 

= PBMH o H2(P) 


{Definition of PBMH} 
{Associativity of sequential composition} 

{Lemma IL.E.6.11} 
{Associativity of sequential composition} 
{Definition of PBMH} 
{Definition of H2 (J-split)} 


□ 


Theorem T.E.6.2 HI o PBMH(P) = PBMH o H1(P) 

Proof. 


PBMH o H1(P) 

= PBMH(oi =► P ) 

= PBMH(-i ok V P) 

= PBMH(-i ok) V PBMH(P) 
= -. ok V PBMH(P) 

= ok =► PBMH(P) 

= HI o PBMH(P) 


{Definition of HI} 
{Predicate calculus} 
{Distributivity of PBMH} 
{Lemma IL.E.4.61} 
{Predicate calculus} 
{Definition of HI} 


□ 


E.7 Properties with respect to A2 

Lemma L.E.7.1 Provided P is PBMH -healthy. 
PBMH(P ; A {s | {s} = ac'}) 


3 aci, aco • P[aco/ac'] A aco C {s | {s} = aci} A aci C ac' 


Proof. 


PBMH(P ^ {s | {s} = ac'}) 

= PBMH(PBMH(P) {s \ {s} 


{Assumption: P is PBMH-healthy} 


ac'}) 


{Definition of PBMH (Lemma L.4.2.1)} 
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= PBMH((3 ac 0 • P[ac 0 /ac'] A ac 0 C ac') ] A {s | {s} = ac'}) 

{Definition of ] A and substitution} 

= PBMH(3 ac 0 • P[ac 0 /ac'] A ac 0 C {s | {s} = ac '}) 

{Definition of PBMH (Lemma |L. 4.2. 3» 

= (3 ac\ • (3 ac 0 • P[ac 0 /ac '] A ac 0 C {s | {s} = ac'})[aci/ac'] A aci C ac') 

{Substitution and predicate calculus} 

= 3 aci, ac 0 • P[ac 0 /ac'] A ac 0 C {s | {s} = aci} A aci C ac' 


a 


Theorem T.E.7.1 Provided P is PBMH -healthy and v is not free in P, 
3 v(P ; a Q)=>P ; a (3 v • Q) 

Proof. 


3 v • {P \ A Q) {Assumption: P is PBMH-healthy} 

= 3 v • (PBMH(P) Q) {Definition of PBMH (Lemma [0X1} } 

= 3 v • ((3 aco • P[aco/ac'] A aco C ac') ] A Q) 

{Definition of ] A and substitution} 

= 3 v • (3 aco • .P[aco/ac'] A aco C {s | Q}) 

{Predicate calculus: v is not free in P} 
= 3 aco • P[aco/ac'] A (3 v • aco C {s | Q}) {Lemma IL. 1.0. 131} 

=>■ 3 ac 0 • P[ac 0 /ac'] A ac 0 C {s | 3 v • Q} {Definition of ] A and substitution} 

= (3 ac 0 • P[ac 0 /ac'] A ac 0 C ac') \ A (3 v • Q) 

{Definition of PBMH (Lemma |L. 4.2. 3» 

= PBMH(P) \ A (3 v • Q) {Assumption: P is PBMH-healthy} 

= P ] A (3 v • Q) 


□ 













Appendix F 


Sequential Composition (A) 

F.l Properties 

Lemma L.F.1.1 Provided ac! is not free in P, P ; A Q = P. 

Proof. 

P ] A Q {Definition of ] A } 

= P[{z : State \ Q[z/sty/ac'] {Assumption: ac' not free in P} 

= P 


□ 


Lemma L.F.1.2 -< (.P ; A Q) — (-. P ; A Q ) 

Proof. 

{Definition of sequential composition} 
{Propositional calculus} 
{Definition of sequential composition} 


(P u Q) 

= - 1 (P[{z I Q[z/s]}/ac'}) 
= (- P[{z\Q[z/s\}/ac']) 

= hP; A Q ) 


□ 


Lemma L.F.1.3 Provided P and Q satisfy PBMH, 

P iA (Q M P) = (P >A Q) >A P 
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Proof. 


P u (Q u R) 

= P[{s I Q ] A R}/ac'} 

= P[{s I <5[{s I R}/ac']}/ac') 
= P[{s | Q}/ac'][{s | R}/ac] 
= P[{s | Q}/ac'] - A R 
— ( P 'lA Q) ’A R 


{Definition of ;^} 
{Definition of ;^} 
{Property of substitution} 
{Definition of 
{Definition of ;^} 


□ 


Lemma L.F.1.4 (P V Q) ,' A R — (P ; A R) V (Q ; A R) 


Proof. 

(P V Q)\ a R 

= (P V Q)[{z | R[z/s]}/ac} 

= ( P[{z | R[z/s]}/ac'} V Q[{z \ R[z/s]}/ac']) 

= (P 'ia R) v (Q 'iA R) 


{Definition of 5 ^} 
{Substitution} 
{Definition of ;^} 


□ 


Lemma L.F.1.5 (P A Q) ; A R = (P ', A R) A (Q ; A R) 


Proof. 

(P A Q)\ a R 

= (P A Q)[{z | R[z/s)}/ac'} 

= (P[{z | R[z/s]}/ac'} A Q[{z \ R[z/s]}/ac']) 
= (P 'lA R) A ( Q 'lA R) 


{Definition of ;^} 
{Property of substitution} 
{Definition of ;^} 


□ 


Lemma L.F.1.6 Provided P is PBMH -healthy, 


P m (Q A R) =$• (P ; A Q) A (P ; A R) 
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Proof. 


P ia (Q /\ R) {Assumption: P is PBMH-healthy} 

= PBMH(P) ; a (Q A R) {Definition of PBMH (Lemma [LX2l| } 

= (3 ac 0 • P[ac 0 /ac'] A ac 0 C ac') ', A (Q A R) 

{Definition of ] A and substitution} 
= 3 ac 0 • P[ac 0 /ac'] A ac 0 C {s | Q A R} {Property of sets} 

= 3 aco • P[aco/ac'] A aco C {s | Q} A aco C {s | R} {Predicate calculus} 

( (3 aco • P[aco/ac'] A aco C {s | Q}) \ 

A 


\ (3 ac 0 • P[ac 0 /ac'] A ac 0 C {s | Rj) ) 


( ((3 ac 0 • P[ac 0 /ac '] A ac 0 C ac') \ A Q) \ 
A 

\ ((3 aco • P[aco/ac'] A aco C ac') ] A R) ) 


{Definition of ] A and substitution} 


{Definition of PBMH (Lemma L.4.2.1)} 


= (PBMH(P) ; . Q) A (PBMH(P) ; . R) 


= (p u Q) a (p u «) 


{Assumption: P is PBMH-healthy} 


IP 


F.2 Lemmas 


Lemma L.F.2.1 Provided P is PBMH -healthy, 

(•p U Q) v (P u R) =* (P U (Q v R)) 


Proof. 


(. P ] A Q ) V ( P ] A R) {Assumption: P is PBMH-healthy (Lemma L.4.2.1)} 

( ((3 ac 0 • P[ac 0 /ac'] A ac 0 C ac') ] A Q) \ 


V 


\ ((3 aco • P[aco/ac'] A aco C ac') ] A R) ) 


{Definition of : A and substitution} 
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/ (3 ac 0 • P[ac 0 /ac'] A ac 0 C {s | Q}) \ 

= V {Predicate calculus} 

\ (3 aco • P[aco/ac'] A aco C {s | i2}) / 

= 3 aco • P[aco/ac'] A (aco C {s | Q} V aco C {s | R}) 

{Property of sets and predicate calculus} 

=>■ 3 aco • P[aco/ac'] A aco C {s | Q} U {s | R} {Property of sets} 

= 3 aco • P[aco/ac'] A aco C {s | Q V R} {Definition of and substitution} 

= (3 ac 0 • P[ac 0 /ac'] A ac 0 C ac') ] A (Q V R) 

{Assumption: P is PBMH-healthy (Lemma L.4.2.1)} 


= P; A {QV R) 


□ 


Lemma L.F.2.2 Provided P is PBMH -healthy, 

(P U Q) v ( P >A true ) = P ’A true 

Proof. 

( P \ A Q) V ( P ] A true ) {Lemma IL.F.2.11} 

= ((P ; A Q) V (P ] A true)) A (P \ A (Q V true)) {Predicate calculus} 

= ((P ] A Q) V ( P ;_4 true)) A ( P j A true) {Predicate calculus: absorption law} 
= (P ] A true) 


a 


Lemma L.F.2.3 Provided P is PBMH -healthy, 

(P iA Q) v ( p I a f alse ) = p >'A Q 


Proof. 

( P ] A Q) V ( P ; A false) {Lemma IL.F.2.11} 

= ((P ] A Q) V (P ] A false)) A (P ] A (Q V false)) {Predicate calculus} 

= ((P j A Q) V (P ] A false)) A (P ] A Q) {Predicate calculus: absorption law} 

= P\aQ 


□ 
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Lemma L.F.2.4 Provided P is PBMH -healthy, 

P ; A (Q=>(R A ok')) = (P ; A Q) V ({P ; A (Q => R)) A ok') 


Proof. 


P j A (Q => (R A ok')) {Assumption: P is PBMH-healthy (Lemma L.4.2.1)} 

= (3 ac 0 • P[ac 0 /ac'] A ac 0 C ac') ] A (Q => (R A oA; 7 )) 

{Definition of and substitution} 

= 3 ac 0 • P[ac 0 /ac'] A ac 0 C {s | Q ^ (R A ok')} {Property of sets} 

= 3 ac 0 • P[ac 0 /ac'} A V z • z G ac 0 => (Q[z/s] (P[z/s] A oA; 7 )) 

{Lemma IL.F.2.51} 

( iy z • z & ac 0 ^ ^ Q[z/s]) \ 

= 3 aco • P[aco/ac 7 ] A V 

\ ((Vz • z G aco =>• (Q[z/s] A[z/s])) A oA; 7 ) ^ 

{Predicate calculus} 

/ (3 aco • P[aco/ac'] A (V z • z G aco =>■ -> Q[z/s])) \ 

= V 

^ (3 ac 0 • -P[ac 0 /ac 7 ] A ((Vz • z 6 ac 0 =>• (Q[z/s] =>• P[z/s])) A oA; 7 )) / 

{Property of sets} 

( (3 aco • P[aco/ac 7 ] A (V z • z G aco =>■ z G {s | -> <5})) ^ 

v 

(3 aco • P[aco/ac 7 ] A ((Vz • z G aco z G {s | Q =>- R }) A ok')) ) 

{Property of sets} 

/ (3 ac 0 • P[ac 0 /ac'] A ac 0 C {s | -i Q}) \ 

= V {Predicate calculus} 

\ (3 ac 0 • P[ac 0 /ac'] A ac 0 C {s | Q R} A oA; 7 ) / 

( (3 aco • P[aco/ac 7 ] A aco C {s | -i Q}) \ 

v , 

((3 ac 0 • P[ac 0 /ac 7 ] A ac 0 C {s j Q =>• P}) A oA; 7 ) / 

{Definition of \ A and substitution} 

/ ((3 ac 0 • P[ac 0 /ac 7 ] A ac 0 C ac') ] A -> Q) \ 

= V 

\ (((3 aco • P[aco/ac 7 ] A aco C ac 7 ) (Q =>• R)) A oA; 7 ) J 

{Assumption: P is PBMH-healthy (Lemma L.4.2.1)} 
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= (P U--Q)V((P ; A (Q => R)) A ok') 


□ 


Lemma L.F.2.5 Provided x is not free in e, 
Vx»P=>(Q=>(RA e)) 

(V x • P =>- “i Q) V ((V x • P (Q =$■ P)) A e) 


Proof. 


Vx* P=>(Q^(R A e)) 

= Vi.(PA(?)^( J RAe) 

= Vi • ((P AQ)^> R) A ((P A Q)=>e) 

= Vx • ((P A Q) =► P) A (-. (P A Q) V e) 
= (Vx . (P A Q) => P) A (Vx • - (P A Q) 


{Predicate calculus} 
{Predicate calculus} 
{Predicate calculus} 
{Predicate calculus} 

V e) 

{Predicate calculus: x is not free in e} 


= (Vx • (P A Q) => P) A ((Vx • -i (P A <?)) V e) 

/ ((Vx . (P A Q) =*► P) A (Vx • -i (P A Q))) \ 
= V 

V ((Vx . (P A Q) => P) A e) / 

/ (Vx • ((P A Q) => R) A-i (P A Q)) \ 

= V 

\ ((Vx# ((P A Q) =* R)) A e) 

/ (V x • -i (P A Q)) \ 

= V 

V ((Vx. ((P A Q) => P)) A e) / 

= (V x • P n <5) V ((Vx • P => (Q => R)) A e) 


{Predicate calculus} 
{Predicate calculus} 


{Predicate calculus} 


{Predicate calculus} 


□ 


Lemma L.F.2.6 Provided P is PBMH -healthy, 


P ; A (Q A ok') = (P ; A false ) V ((P ^ Q) A ok') 
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Proof. 


P ] A (Q A ok') {Assumption: P is PBMH-healthy} 

= PBMH(P) ; a (Q A ok') {Definition of PBMH (Lemma [LX2l| } 

= (3 ac 0 • P[ac 0 /ac'] A ac 0 C ac 7 ) (Q A oA; 7 ) 

{Definition of ] A and substitution} 
= 3 ac 0 • P[ac 0 /ac'} A ac 0 C {z \ (Q A oA/)[z/s]} {Property of substitution} 

= 3 aco • P[aco/ac 7 ] A aco C {z \ Q[z/s] A ok'} {Property of sets} 

= 3 aco • P[aco/ac'] A (V z • z E aco =>• (<3[z/s] A ok 1 )) {Propositional calculus} 

= 3 aco • P[aco/ac'] A (V z • z E aco <3[z/s]) A (V z • 2 G aco => ok') 

{Propositional calculus} 

= 3 aco • P[aco/ac'] A (V z • z E aco =>■ <5[z/s]) A (V z • z ^ aco V ok') 

{Predicate calculus: ok' ^ z, move quantifier} 

= 3 aco • P[aco/ac'] A (V z • z E aco <2[z/ s ]) A ((V z • z ^ aco) V 0 A; 7 ) 

{Predicate calculus: distribution} 

( ((Vz • z E aco =>■ Q[z/s\) A (Vz • z ^ aco)) \ 

V 

^ ((Vz • z e ac 0 =>■ <J[z/s]) A 0 A; 7 ) 

{Predicate calculus} 

/ (V z • (^ 6 ac 0 <2[z/s]) Az^ ac 0 ) \ 


= 3 ac 0 • P[ac 0 /ac 7 ] A 


7 


= 3 aco • P[aco/ac 7 ] A 


V 


\ ((Vz «zG aco =>■ Q[z/s]) A ok') ) 

{Propositional calculus} 

= 3 aco • P[aco/ac 7 ] A ((V z • z £ aco) V ((V z • z E aco =>- <5[z/s]) A 0 A; 7 )) 

{Propositional calculus} 

/ (3 aco • P[aco/ac 7 ] A Vz»z^ aco) \ 

= V 

\ (3 ac 0 • -P[ac 0 /ac 7 ] A (V z • z G ac 0 =>• Q[z/s]) A o/z 7 ) ) 

{Property of sets and introduce set comprehension} 

/ (3 aco • P[aco/ac 7 ] A aco = 0) \ 

= V 

\ ((3 aco • P[aco/ac 7 ] A aco C {z | Q[z/s ]}) A ok') ) 

{One-point rule and substitution} 
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( P[®/ac'} \ 

V 

\ ((3 aco • P[aco/ac'] A aco C {z \ Q[z/s}}) A ok') ) 

( P[0/ac 7 ] 

V 


{Re-introduce ac'} 


\ 


\ ((3 ac 0 • P[ac 0 /ac'] A ac 0 C ac')[{z \ Q[z/s]}/ac'] A oA: 7 ) / 


{Definition of ;^} 


/ P[0/ ac'} \ 

V 

\ (((3 aco • P[aco/ac'] A aco C ac') ; A Q) A ok') / 

{Definition of PBMH (Lemma |L.4.2. 3} 


= F[0/ac 7 ] V ((PBMH(P) Q) A ok') {Assumption: P is PBMH-healthy} 
= P[0/ ac'} V ((P ] A Q) A oA/) (Lemma ODO} 

= (P 5^ false) V ((P ^ (?) AoP) 


□ 


Lemma L.F.2.7 Provided s is not free in R and P is PBMH -healthy, 


(P ; A (QAR))AR=(P ; a Q)AR 


Proof. 


(P ((? A P)) A R {Assumption: P is PBMH-healthy (Lemma L.4.2.1)} 

= ((3 ac 0 • P[ac 0 /ac'} A ac 0 C ac 7 ) ((? A P)) A P 

{Definition of and substitution} 

= (3 ac 0 • P[ac 0 /ac 7 ] A ac 0 C {s | (? A P}) A P {Property of sets} 

= 3 ac 0 • P[ac 0 /ac 7 ] A ac 0 C {s | (?} A ac 0 C {s | P} A P {Property of sets} 

= 3 aco • P[aco/ac 7 ] A aco C {s | (?} A (V s • s G aco AP) AP 

{Assumption: s is not free in P and predicate calculus} 

= 3 aco • P[aco/ac 7 ] A aco C {s | (?} A ((V s • s ^ aco) V P) A P 

{Predicate calculus: absorption law} 

= 3 aco • P[aco/ac 7 ] A aco C {s | (?} A P {Predicate calculus} 

= (3 aco • P[aco/ac 7 ] A aco C {s | (?}) A P {Definition of and substitution} 
= ((3 aco • P[aco/ac 7 ] A aco C ac') j A (?) A P 


{Assumption: P is PBMH-healthy (Lemma L.4.2.1)} 
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= (P] a Q)AR 


□ 


Lemma L.F.2.8 Provided ac! is not free in P, 


( PAQ); a R = PA(Q; a R ) 


Proof. 


(P A Q) ] a R 

= (P\a fl)A (Q; a R) 
— P A (Q ] A R) 


{Lemma IL.F.1.51} 


{Assumption: ac' not free in P and Lemma L.F.l.lf 


□ 


Lemma L.F.2.9 Provided P is VBdMFi-healthy and s is not free in e, 


P ; A {Q=>{R A e)) = (. P ; A (?) V ((P ; A (Q =► R)) A e) 


Proof. 


P 'i A (Q (R A e)) {Assumption: P is PBMH-healthy (Lemma L.4.2.1)} 

= (3 aco • P[aco/ac ] A aco C ac') (Q => (R A e)) 

{Definition of and substitution} 

= 3 aco • P[aco/ac'] A aco C {s | Q ^ (R A e)} 

{Property of sets and s not free in e} 

= 3 aco • P[aco/ac'] A V z • z G aco (Q[z/s\ (i?[z/s] A e)) 

{Lemma IL.F.2.51} 

/ (Vz • z € aco =>■ -i <5[^/s]) \ 


= 3 aco • P[aco/ac'] A 


V 


\ ((Vz • z G ac 0 =>• (Q[z/s] R[z/s})) A e) ) 

{Predicate calculus} 

/ (3 ac 0 • P[ac 0 /ac'] A (V z • z E ac 0 =>■ -> Q[z/s ])) \ 

V 

\ (3 aco • P[aco/ac'] A ((Vz»zG aco =>• (<3[z/s] ^ A[z/s])) A e)) / 

{Property of sets} 
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{Predicate calculus} 


/ (3 ac 0 • P[ac 0 /ac'] A (V z • z G ac 0 =>■ z E {s | -> Q})) \ 

V 

\ (3 aco • P[aco/ac'] A ((V z • z G aco =>■ z £ {s | Q =>■ i?}) A e)) / 

{Property of sets} 

/ (3 aco • P[aco/ac'] A aco C {s | -i Q}) \ 

V 

\ (3 ac 0 • P[aco/ac'] A ac 0 C {s | Q =>■ R} A e) / 

/ (3 ac 0 • P[ac 0 /ac'] A ac 0 C {s | -i Q}) 

V 

\ ((3 aco • P[aco/ac'] A aco C {s | Q =>■ /?}) A e) ) 

{Definition of and substitution} 

/ ((3 aco • P[aco/ac'] A aco C ad) ’, A -> Q) \ 

V 

\ (((3 ac 0 • P[ac 0 /ad ] A ac 0 C ad) ] A (Q =>• R)) A e) / 


\ 


{Assumption: P is PBMH-healthy (Lemma L.4.2.1)} 
(P U-.Q)V((P u(Q^ii)) Ae) 


□ 


F.3 Closure Properties 


Theorem T.F.3.1 Provided P and Q are PBMH -healthy, 


PBMH (P ; a Q) = P ; a Q 


Proof. (Implication) 


PBMH(P Q) {Assumption: P is PBMH-healthy (Lemma L.4.2.1)} 

= PBMH((3 ac\ • P[aci/ac] A ac± C ad) \ A Q) 

{Definition of ] A and substitution} 

= PBMH(3 aci • P[ac\/ad] A ac\ C {s | Q}) {Property of sets} 

= PBMH(3 ac\ • P[aci/ac'} A (V z • z G ac\ =>• Q[z/s])) 


{Definition of PBMH (Lemma L.4.2.1)} 

= 3 aco • (3 ac\ • P[ac\/ad] A (V z • z G ac± => Q[z/s]))[aca/ad] A aco C ad 

{Predicate calculus and substitution} 
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= 3 ac 0 , aci • P[ac\/ac'] A (Vz • z 6 aci Q[z / s][aco / ad]) A ac 0 C ad 

{Predicate calculus: quantifier scope} 

= 3 aci • P[ac\/ad] A (3 ac 0 • (Vz • z e aci 4- (5[z/s][ac 0 /ac']) A ac 0 C ac') 

{Predicate calculus: quantifier scope} 


= 3 aci • Pfaci/ac'] A (3 ac 0 • (V z • (z e aq 4- Q[z / s][aco / ad]) A ac 0 C ad)) 

{Predicate calculus} 

/ P[aci/ad] \ 


3 aci • 


/ 

/ (z ^ aci A aco C ac') \ 

\ 


3 aco • 

Vz • 

V 



V 

V 

\ (Q[z/s) [aco/ac'] A aco C ac') / 

7 


{Predicate calculus} 

/ P[ac\/ad] \ 


A 


3 aci • 


( 

( (z ^ aci A ac 0 C ac') 

\ 

\ 



V z • 3 aco • 

V 




V 

V 

^ (<5[z/s][ aco/ac'] A aco C ad) 

) 

7 


{Predicate calculus} 

/ P[aci/ac'] \ 


A 


3 aci • 


/ 

/ (z ^ aci A 3 ac 0 • ac 0 C ac') \ 

\ 




Vz • 

V 




V 

V 

\ (3 aco • Q[z / s][acQ / ad] A aco C ac') / 

J 

/ 


{Property of sets and predicate calculus} 
/ P[aci/ac'] \ 


= 3 ac\ 


( /(z£ aci) \ ^ 

Vz • =>• 

\ \ (3 aco • <5[z/s] [aco/ac'] A aco C ac') / ) 


{Substitution} 
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( P[aci/ac'] 
A 


\ 


3 ac\ • 


/ 

/ (z G acQ ^ 

\ 



V z • 




V 

V 

\ (3 aco • Q[aco/ac') A aco C ac')[z/s\ / 

/ 


/ 

{Definition of PBMH (Lemma |L.4.2. 3} 
= 3 aci • P[aci/ac'] A (V z • z G ac\ =>• PBMH(Q)[z/s]) {Property of sets} 

= 3 ac\ • P[aci/ac'] A ac\ C {s | PBMH(Q)} 

{Definition of ] A and substitution} 

= (3 aci • P[aci/ac'] A ac\ C ac') PBMH(Q) 

{Definition of PBMH (Lemma L.4.2.1)} 

= PBMH(P) m PBMH(Q) 


{Assumption: P and Q are PBMH-healthy (Lemma L.4.2.1)} 


= P\aQ 


□ 

Proof. (Reverse implication) 

P ] A Q {Lemma IL. E.2.1 1 } 

=► PBMH(P ^ Q) 


□ 


F.4 Extreme Points 

Lemma L.F.4.1 Provided P is PBMH -healthy, 
P ; A false = P\ft)/ac] 

Proof. 


P \ A false {Assumption: P is PBMH-healthy} 

= PBMH(P) ] A false {Definition of PBMH (Lemma |L.4.2. 3» 

= (3 ac 0 • P[ac 0 /ac'] A ac 0 C ac') ] A false {Definition of j^} 

= 3 ac 0 • P[ac 0 /ac') A ac 0 C 0 {Property of sets and one-point rule} 

= P[0/ ac'} 
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□ 


Lemma L.F.4.2 Provided P is PBMH -healthy, 
P ; A true = 3 ac' • P 


Proof. 


P true 

= PBMH(P) ] A true 
= (3 aco • P[aco/ac '] A aco C ac') ] A true 
= 3 ac 0 • P[ac 0 /ac'] A ac 0 C {z \ true} 

= 3 ac 0 • P[ac 0 /ac'] A (Vz»z6 ac 0 =>• true) 
= 3 ac 0 • P[ac 0 /ac'} 

= 3 aco • (3 ac • P A ac = aco) 

= 3 ac’ • P 


{Assumption: P is PBMH-healthy} 
{Lemma IL.4.2.11} 
{Definition of 
{Property of sets} 
{Propositional calculus} 
{One-point rule} 
{One-point rule: aco not free in P} 


□ 


F.5 Algebraic Properties 

and Sequential Composition 

Lemma L.F.5.1 Provided ok and ac are not free in R, 
(P; Q) ; a R = P ; (Q ; A R) 


Proof. 

(P ; Q) ] A R {Definition of sequential composition} 

= (3 oho, aco • P[oko, ac^/ok, ac'] A aco/ ok, ac]) ] A R {Definition of ] A } 

= (3 ok 0 , aco • P[oko, aco/ok, ac'] A Q[oko, ac^/ok, ac])[{z \ R[z/s]}/ac'] 

{Substitution: ac' not free in aco} 

= (3 oko, aco • P[oko, aco/ok, ac'] A Q[oko, aco/ok, ac][{z | R[z/s]}/ac']) 

{Assumption: {ok, ac} not free in A} 

= (3 oko, aco • P[oko, aco/ok, ac'] A Q[{z \ R[z/s]}/ac'] [oko, ®co/ ok, ac]) 

{Definition of sequential composition} 
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= P ; Q[{z | R[z/s\}/ac'} {Definition of 

= p;(Q; a R) 


□ 


F.6 Skip 

Definition 142 1I A = s G ac' 

Lemma L.F.6.1 U A is a fixed point o/PBMH, PBMH(IT^) = 

Proof. 


PBMH(JT^) 

= 3 aco • s G aco A aco C ac' 
— s G ac' 


{Definition of II A and PBMH (Lemma L.4.2.1)} 

{Lemma IL.f.0.161} 


□ 


Lemma L.F.6.2 H A ; A P = P 

Proof. 

Xa ; a p 

= s e ac' ; A P 
= s G {z | P[z/s]} 

= P[z/s][s/z\ 

= p 


{Definition of IT 

{Definition of ; A and substitution} 
{Property of sets} 
{Substitution} 


G 


Lemma L.F.6.3 Provided P is PBMH -healthy, P ] A U A . 

Proof. 

P ] A II_ 4 {Definition of H A } 

— P ] A (s G ac') {Assumption: P is PBMH-healthy} 

= PBMH(P) (s G ac) {Lemma ILXO } 

= (3 ac 0 • P[ac 0 /ac'] A ac 0 C ac') ] A ( s G ac') {Definition of ] A } 
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= 3 ac 0 • P[ac 0 /ac'} A ac 0 C {z \ z e ac'} 


{Property of sets} 


= 3 ac 0 • Pfaco/ac'] A ac 0 C ac' 


{Lemma IL.4.2.11} 


= PBMH(P) {Assumption: P satisfies PBMH} 

= P 


□ 
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Appendix G 

Reactive Angelic Designs (RAD) 


G.l RA1 


G.1.1 Definition 


Definition 109 


RA1(P) = (P A ad 7^ ®)[States tr < t r' (s) H ad/ad] 


G.l.2 Properties 

Theorem T.5.2.1 RAl o A0(P) = RA1(P) 


Proof. 


RAl o A0(P) (Lemma IL.G.l.ll } 

= AO (P)[{z | z e ad A s.tr < z.tr}/ad ] A3 z • s.tr < z.tr A z & ad 

(Definition of AO} 

/ (FA ((ok A -i Pf) =>- (o/3 =>• ac' 7 ^ 0)))[{z | z e ad A s.tr < z.tr}/ ad] ^ 

= A 

\ • sir < zir A z G ac' j 

{Substitution} 


/ P[(z | z G ad A s.tr < z.tr}/ad] ^ 

A 

/ (ofc A -■ P^[{ 2 : | z G ac' A s.tr < z.tr}/ac']) \ 

=> 

\ ( ok' => {z \ z E ad A s.tr < z.tr} 7 ^ 0) / 

A 

\ 3 z • s.tr < z.tr A 2 e ad J 


(Property of sets} 
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f P[{z | z E ac' A s.tr < z.tr}/ac '] 

A 

(ok A -■ Pf[{z | z E ac' A s.tr < z.tr}/ac']) \ 




(<?&' =>- (3 z • 2 G ac' A s.tr < z.tr )) / 


A 


\ 3 z • s.tr < z.tr A z £ ac' 

f P[{z | z G ac' A s.tr < z.tr}/ac'} 

A 

( (-i ofc V P^[{z | z e ac' A s.tr < z.tr}/ac']) ^ 
V 

^ (-i ok' V (3 z • 2 G ac' A s.tr < z.tr)) / 

A 

\ 3 z • s.tr < z.tr A z G ac' 


{Predicate calculus} 


\ 


7 


/ P[{z \ z E ac' A s.tr < z.tr}/ac '] ^ 
A 

\ 3 z • s.tr < z.tr A z G ac' 

RA1(P) 


{Predicate calculus: absorption law} 


{Lemma IL.G.l.ll} 


□ 


Theorem T.5.2.2 RA1(P A Q) — RA1(P) A RA1(<J) 


Proof. 


RA1 (P A Q ) 
= (P A Q)[{z 


{Definition of RA1 (Lemma L.G.1.1)} 

z E ac' A s.tr < z.tr}/ac'} A3 z • s.tr < z.tr A z E ac' 

{Substitution} 


/ P[{z | z G ac' A s.tr < z.tr}/ac'] ^ 
A 

<5[{z \ z E ac' A s.tr < z.tr}/ac'} 

A 

\ 3 z • s.tr < z.tr A z E ac' ) 


{Predicate calculus} 
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( (PIU I * G ad A s.tr < z.tr}/ac '] A3 z • s.tr < z.tr A z E ad) \ 


A 


\ (Q[{z | z G ad A s.tr < z.tr}/ad] A3 z • s.tr < z.tr A z G ac') / 

{Definition of RA1 (Lemma L.G.1.1)} 

RA1(P) A RA1(Q) 


□ 


Theorem T.5.2.3 RA1(P V Q) = RAl(P) V RA1(Q) 


Proof. 


RA1(P V Q) {Definition of RA1 (Lemma L.G.1.1)} 

= (PV Q)[{z | z G ad A s.tr < z.tr}/ ad] A3 z • s.tr < z.tr A z £ ad 

{Substitution} 

/ (P[{2 | z £ ac ; A s.tr < z.tr}/ac'] V \ z £ ad A s.tr < z.tr} /ad}) \ 


A 




\ 3 z • s.tr < z.tr A z £ ad 

{Predicate calculus} 

/ (P[{-Z | z E ac' A s.tr < z.tr}/ac'] A 3 z • s.tr < z.tr A z E ad) \ 

V 

\ (Q[{z | z G ad A s.tr < z.tr} /ad] A 3 z • s.tr < z.tr AzE ac') J 


{Definition of RA1 (Lemma L.G.1.1)} 


= RA1(P) V RA1(Q) 


:p 

Theorem T.5.2.4 Provided P and Q are RA1 -healthy and Q is PBMH -healthy, 
RA1(P ; A Q) = P ; A Q 


Proof. 


P \ A Q {Assumption: P and Q are RAl-healthy} 

= RA1(P) RA1(Q) {Definition of RA1} 

= ( }P[Statestr<tr'{s ) D ad/ad] A RAl(frae)) ] A RA1(Q) 


{Right-distributivity of j A 


(Lemma L.F.1.5)} 
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( (P[States tr <tr'(s) fl ad/ad] RA1(Q)) ^ 
A 

\ (RAl(frue) \ A RA1(<J)) / 

( (P[Statestr<tr'(s) fl ac' / ac'] \ A RA1(Q)) \ 
A 

(RAl(frue) ] A RA1(<5)) 

A 

\ RA1 (true) J 


{Lemma IL.0. 1 .321 } 


{Right-distributivity of ', A (Lemma L.F.1.5)} 
/ ((P[Statestr<tr'(s) fl ac'/ac'] A RAl(frue)) \ A RA1(Q)) \ 


A 


\ RAl (true) 


/ ((P A ac' 7 ^ ( ))[States tr <tr'(s) fl ac' / ac'] ] A RAl(Q)) \ 


/ 

{Definition of RAl} 


A 




\ RAl (true) 

{Assumption: Q is PBMH-healthy and Lemma L.G.1.37 ) 
/ / (P A ac' 7 ^ ty)[Statestr<tr'(s) n ac'/ac'] \ \ 


iA 


\ PBMH(<5 A ac' 7 ^ 0 A ac' C States tr <tr'(s)) ) 


A 

V RAl (true) 

( ( (PA ac' 7 ^ 0 ) 

St&tCSt r <itr\s) 

n 


/ 


{Dehnition of ] A and substitution} 

\ \ 


V L 


PBMH 


f Q A ac' 7 ^ 0 ^ 

A 

\ ac' C States tr <tr'(s) ) 


ac 


[z/s] 


J 


A 


y RAl(inie) 


/ 


{Dehnition of PBMH} 
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(P A ac' ± 0) 

[" States tr <tr'(s) 


3 ac 0 • Q[acQ/ac'\ A ac 0 7 ^ 0 


^ aco C Statestr<tr'(s) 


ac 0 C ac' 


RAl (true) 


(P A ac' ^ 0) 

F Stcitest r <_t r i (s) 


3 aco • <5[z/s][aco/ac'] A aco 7 ^ 0 


z ac 0 C States tr <tr'(z ) 


aco C ac' 


RAl (true) 


(P A ac' 7 ^ 0) 


s.tr < z.tr 


z 3 aco • Q[z / s][aco / ac'] A aco 7 ^ 0 


ac 0 C Statestr<tr'(z) fl ac' 


{Substitution} 


{Property of sets} 


RAl (true) 


{Definition of States tr < tr >} 
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/ 


(FA ac' ± 0) 

( s.tr < z.tr 


\ 


V L 


\ 


A 


3 ac 0 • Q[z/s][acQ/ac'] A ac 0 ^ 0 


A 


> / ac' 


\ aco C (x | z.tr < x.tr Axe ac'} ) 


\ 


A 


^ RAl(inie) 


/ 


(FA ac’ ± 0) 

/ s.tr < z.tr 
A 


V L 


{Lemma IL. 1. 0.141} 

\ \ 

\ 


3 aco • Q[z/ s][acQ / ac'] A aco ^ 0 > / ac' 

A 

V ac o 1= | 2 -tr < x.tr A s.tr < x.tr A x G ac'} J 


A 


y RAl(t: 


rrte 


/ 


/ 


(FA ac' + 0) 

States tr <t r '(s) 

n 

3 aco • Q[z/s][acQ/ac'] A aco 7 ^ 0 
A 


(Property of sets and definition of States tr <t r '} 

\ \ 


V L 


\ 


ac 


\ ac 0 C States tr <tr'{z ) H States tr <t r ’{s) fl ac' / 


J / 


A 


y RAl(t: 


rue) 




{Property of sets and substitution} 
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/ /(PAacV 0) 

States tr <tr' ( 5 ) 

n 

/ 3 ac 0 • Q[z/s][ac 0 /ac'} A ac 0 7 ^ 0 \ 
A 


\ aco C States t r<tr'(z) fl ac' 
\ [States tr <tr'(s) fl ac' / ac'} 


ac 




A 


\ RA1 (true) 


= RA1 


(FA ac' ± 0) 

States tr<tr' ( 5 ) 

n 

/ 3 aco • Q[z / s\[aco/ac'} A aco 7 ^ 0 \ 
A 


/ 

{Definition of RA1} 

\ 


V L 


\ ac 0 C States tr < tr '(z) fl ac' 


ac 


/ 


= RA1 


(FA ac' ^ 0) 

Statest r <t r ' ( 5 ) 

n 

/ 3 aco • Q[aco/ac'} A aco 7 ^ 0 \ 
A 

V L 


/ 

{Substitution} 

\ 


ac 


[z/s] 


7 


\ ac 0 C States tr <tr'(s ) (3 ac' / 

{Property of sets and definition of PBMH} 

(FA ac' ^ 0) \ 

Statest r <t r ' (s) 


= RA1 


V L 


n 


f 


( Q A ac' 7 ^ 0 ^ 

1 

/ ac' 


r 

PBMH 

A 

[*/»] 

7 


l 


\ ac' C Statestr<tr'(s) / 

J 

J 

7 


{Assumption: Q is PBMH-healthy and Lemma L.G.1.37 } 

= RA1((P A ac' 7 ^ $)[States tr < tr >(s) fl {z | ~R,Al(Q)[z / s]} / ac']) 

{Definition of ] A and substitution} 

= RA1((P A ac' 7 ^ ®)[States tr <t r '(s ) fl ac'/ac'] ] A RA1(<J)) 

{Definition of RA1} 

= RA1(RA1(P) j A RA1(<5)) {Assumption: P and Q are RAl-healthy} 
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= RA1(P Q) 


□ 


Theorem T.5.2.5 PBMH o RAl o PBMH(P) = RAl o PBMH(P) 


Proof. 

PBMH o RAl o PBMH(P) (Lemma iLXbLTl l 

/ PBMH(P)[{z | 2 G ac! A s.tr < z.tr}/ac'] \ 

A (Lemma IL. 4.2. 11} 

\ 3 z • s.tr < z.tr A z G ac' ) 

( (3 ac 0 • P[ac 0 /ac'] A ac 0 C ac')[{z \ z E ac' A s.tr < z.tr}/ac'} \ 


= PBMH 


= PBMH 


A 


\ 3 z • s.tr < z.tr A z G ac' 




= PBMH 


(Substitution) 

/ (3 aco • P[aco/ac'] A aco C {z \ z G ac' A s.tr < z.tr}) \ 


A 


\ 3 z • s.tr < z.tr A z G ac' 




= PBMH 


(Property of sets} 

/ (3 ac 0 • P[aco/ac'] A Vr • s G ac 0 A (i£ ac' A s.tr < x.tr )) \ 


A 


/ 


\ 3 z • s.tr < z.tr A z G ac' 

(Predicate calculus} 

/ P[aco/ac'] A (V x • x G aco 6 ac') \ \ 


/ 


= PBMH 


3 acg 


A 


\ (Vx • x G ac 0 =>■ s.tr < x.tr) 




A 




( 


= 3 aci 


\ 3 z • s.tr < z.tr A z G ac' 

(Lemma IL.4.2.11} 

/ P[aco/ac'] A (Va; • x E aco ac') \ \ 


3 ac 0 


A 


A 


\ ac 0 s.tr < x.tr) 


) 


\ 3 2 • s.tr < z.tr A z G ac' 


[aci/ac'j A aci C 


{Substitution} 
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/ 


= 3 aci 


/ P[ac 0 /ac'} A (Vs • s E ac 0 aci) \ 


3 ac 0 


A 


A 


\ aco =>■ s.tr < x.tr ) 


\ 


\ 3 z • s.tr < z.tr A z G aci 


A aci C ac' 




{Predicate calculus} 


/ P[aco/ac'] A(Vi»j:G ac 0 4iG ac') \ 


3 aco 


A 


A 


\ (Vi»iG ac 0 =>■ s.tr < x.tr ) 


\ 


/ 


/ 


\ 3 z • s.tr < z.tr A 2 G ac' 

(Predicate calculus} 

/ 3 aco • P[aco/ac'] A (V x • x G aco =>■ (a; e ac' A s.tr < s.tr)) ^ 


A 


\ 3 z • s.tr < z.tr A z G ac 1 


{Property of sets} 


3 aco • P[aco/ac'] A aco C (z | z G ac' A s.tr < z.tr} \ 


= A 


{Substitution} 




3 z • s.tr < z.tr A z E ac' 

/ (3 ac 0 • P[ac 0 /ac'] A ac 0 C ac')[{z \ z E ac' A s.tr < z.tr}/ac'} \ 


A 




\ 3 z • s.tr < z.tr A z E ac' 

(Lemma IL.4.2.11} 

PBMH(P) [{z \ z E ac' A s.tr < z.tr}/ac '} A 3z • s.tr < z.tr A z E ac' 

(Lemma IL.G.l.ll} 

RA1 o PBMH(P) 


□ 


Theorem T.G.1.1 RA1 o RA1(P) = RA1(P) 


Proof. 


RA1 o RA1(P) 

= RAl(P)[(z | 


(Definition of RA1 (Lemma L.G.1.1)} 

z E ac' A s.tr < z.tr}/ac '} A 3 z • z G ac' A s.tr < z.tr 

(Definition of RA1 (Lemma L.G.1.1)} 
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( 

( P[{z \ z G ad A s.tr < z.tr}/ad] \ 

\ 


A 

[{z z G ad A s.tr < z.tr}/ad] 


\ 3 z • z G ad A s.tr < z.tr / 


^ A 3 z • z G ad A s.tr < z.tr 

7 


/ 


/ P[{Z I z e {z \ z e ad A s.tr < z.tr} A s.tr < z.tr}/ad ] \ 


A 


{Substitution} 

\ 


7 


7 


\ 3 z • z G {z | z G ac' A s.tr < z.tr} A s.tr < z.tr 
y A 3 z • z G ad A s.tr < z.tr 

{Variable renaming} 

/ P[{z \ze{y\ye A s.tr < y.tr } A s.tr < z.tr}/ad] \ \ 


/ 


A 


\ 3 z • z G {y | y G ad A s.tr < y.tr} A s.tr < z.tr 
y A3 z»zG ad A s.tr < z.tr 

l P[{* I ^ € ad A s.tr < z.tr A s.tr < z.tr}/oc / ] \ 

A 

3 z • z G ad A s.tr < z.tr A s.tr < z.tr 






A 


\ 3 z • 2 ; G ad A s.tr < z.tr 

P[{z I * 6 ad A s.tr < z.tr}/ad] \ 


{Property of sets} 


{Predicate calculus} 


7 


A 


\ 3 z • z G ad A s.tr < z.tr 
= RA1(P) 


7 


{Definition of RA1 (Lemma L.G.1.1)} 


G 


Theorem T.G.1.2 P D Q => RA1 (P) O RA1 (Q) 


Proof. 

RA1 (Q) 

= RA1(<5 A P) 

= RA1(Q) A RA1(P) 
=» RA1(P) 


{Assumption: PE Q = [Q =>• P]} 
{Theorem IT. 5.2. 21} 
{Predicate calculus} 
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□ 


G.l. 3 Lemmas 

Lemma L.G.1.1 

RA1(P) 

P[{z | z 6 ac' A s.tr < z.tr}/ac'] A3 z • s.tr < z.tr A z £ ac' 


Proof. 

RA1(P) {Definition of RA1 (Definition |1Q9[ ) } 

= (PA ac' 7 ^ 0)[S'tatesj r <t r /(s) D ac' / ac'] 

{Property of sets and definition of States tr < tr '} 

— (PA ac' 7^ 0)[{z | 2 G ac' A s.tr < z.tr}/ac'] {Substitution} 

= P[{z \ z E ac A s.tr < z.tr}/ac] A {z \ z E ac A s.tr < z.tr} 7^ 0 

{Property of sets} 

= P[{z | z E ac' A s.tr < z.tr}/ac] A 3 z • z E {z \ z E ac' A s.tr < z.tr} 

{Property of sets} 

= P[{z | z E ac A s.tr < z.tr}/ac] A 3 z • z E ac' A s.tr < z.tr 


a 


Lemma L.G.1.2 

RA1(P) = (PA ac 7 ^ 0)[{z | z E ac' A z E {z \ s.tr < z.tr}}/ac'] 


Proof. 

RA1(P) {Definition of RA1 (Definition |1Q9| ) } 

— (P A ac' 7 ^ $)[States tr < tr >(s ) D ac'/ac'] 

{Property of sets and definition of States tr <tr'} 

= (P A ac 1 7 ^ 0)[{z \ z E ac' A z E {z \ s.tr < z.tr}}/ac'] 


□ 
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Lemma L.G.1.3 RA1(P) [0/ac'] = false 


Proof. 

RA1(P) [0/ac'] 

— (PA ac' 7 ^ 0 )[{z | s.tr < z.tr} D ac'/ac'][ 0 /ac'] 

— (PA ac' 7 ^ 0 )[{z | s.tr < z.tr} fl 0 /ac'] 

— (PA ac' 7 ^ 0 )[ 0 /ac'] 

= P[0/ac'] A 0 7 ^ 0 

= false 


Lemma L.G.1.4 RAl(tn/e)[{ y}/ac'] = s.tr < y.tr 
Proof. 

RA1 (true) [{y}/ac'} 

— (3 z • s.tr < z.tr A z G ac')[{?/}/ac'] 

= 3 z • s.tr < z.tr A z e {y} 

= 3 z • s.tr < z.tr A z = y 

— s.tr < y.tr 


Lemma L.G.1.5 Provided y is not s and not ac', 
RA1(3 y • P[{y}/ac'] A ye ac') 

3 y • P[{y}/ac'} A s.tr < y.tr A y e ac' 


Proof. 

RA1(3 y • P[{y}/ac'] Aye ac') 

= 3 y • RAl(P[{y}/ac'] Aye ac') 

= 3 y • P[{y}/ac'] A RA1 (y e ac') 

— 3 y • P[{y}/ac] A s.tr < y.tr A y e ac' 


{Definition of RA1} 
{Substitution} 
{Property of sets} 
{Substitution} 
{Predicate calculus} 

M 


{Lemma IL.G. 1 .1(3 } 
{Substitution} 
{Property of sets} 
{One-point rule} 

□ 


{Lemma IL.G.1.121 } 
{Lemma IL.G.1.161 } 
{Lemma IL.G.1.131 } 
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□ 


Lemma L.G.1.6 RA1(P) ac' 7 ^ 0 

Proof. 


RA1(P) {Definition of RA1 (Lemma L.G.1.1)} 

= P[{z \ z E ac' A s.tr < z.tr}/ac) A3 z • s.tr < z.tr A z E ac 

{Predicate calculus} 

=> 3 z • s.tr < z.tr A z E ac' {Predicate calculus} 

^ 3 z • z E ac' {Property of sets} 

= ac' ^ 0 


□ 


Lemma L.G.1.7 s E ac' 3 z • s.tr < z.tr A z E ac' 

Proof. 

s E ac' {Property of sequences} 

= s.tr < s.tr A s G ac' {Predicate calculus} 

=> 3 z • s.tr < z.tr A s G ac' 


□ 


Lemma L.G.1.8 

3 z • z G ac' A tr 0 < z.tr A x = z © {tr 1 —» z.tr — tr 0 } 
x © {tr f-G tr 0 ^ x.tr} G ac' 


Proof. 

3 z • z E ac' A tr 0 < z.tr Ai = z® {tr 1—>■ z.tr — tr 0 } {Definition of ©} 

AA 3 z • z E ac' A tr 0 < z.tr A x = {tr} <3 z U {tr (->■ z.tr — tr 0 } 

{Property of relations} 

3z*zG ac' A tr 0 < z.tr A {tr} <3 x = {tr} <3 z 
A x.tr = z.tr — tr 0 A dom x = domz U {tr} 

{Property of sequences} 
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3 z • z E ac' A tr 0 < z.tr A {tr} <3 x = {tr} <3 z 
A tr 0 ^ x.tr = z.tr A dom x = dom z U {tr} 

3 z • z E ac' A tr 0 < z.tr A z — {tr} <3 x U {tr (->■ tr 0 ^ x.tr} 

{Definition of ©} 

• z G ac' A tr 0 < z.tr Az = iffi {tr i—>• tr 0 ^ x.tr} {One-point rule} 

a; © {tr i-> tr 0 ^ x.tr} G ac' A tr 0 < (x © {tr kg tr 0 ^ x.tr}).tr 

{Property of © and value of tr} 

<^x©{tn-> tr 0 ^ x.tr} G ac' A tr 0 < tr 0 ^ x.tr {Property of sequence} 

AA x © {tr i-A tr 0 ^ x.tr} G ac' 

□ 

Lemma L.G.1.9 RAl (false) = false 



{Property of relations} 


Proof. 

RAl (false) 

= (false A ac' d f ))[States tr <tr'{s ) D ac'/ac'] 
= false[States t r<tr'{s ) D ac /ac'] 

= false 


{Definition of RAl} 
{Predicate calculus} 
{Substitution} 


□ 


Lemma L.G.1.10 

RAl(tnze) = 3 z • s.tr < z.tr A z G ac' 


Proof. 


RAl (true) {Definition of RAl (Lemma |L.G.l.l[ )} 

= true[{z | z G ac' A s.tr < z.tr} j ad] A3 z • s.tr < z.tr A z E ac' 

{Property of substitution} 

= 3 z • s.tr < z.tr A z E ac' 


n 
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Lemma L.G.l.11 

RA1 (true) = States tr < tr /(s ) fl ac' 7 ^ 0 


Proof. 

RA1 (true) 

= (true A ac' d $)[States tr <t r '(s) fl ac' / ac'} 
= (ac' 7 ^ $)[States t r<tr'(s) H ac'/ac'] 

= States tr <tr '( s ) H ac' 7 ^ 0 


{Definition of RAl} 
{Predicate calculus} 
{Substitution} 


□ 

Lemma L.G.l.12 Provided x is not in the set {s, ac'}, 

RAl(3 x • P) = 3x • RAl (P) 

Proof. 

RA1(3 x • P) {Definition of RAl} 

= ((3x • P) A ac' 7 ^ 0) [{z \ z G ac' A s.tr < z.tr}/ac'] 

{Assumption: x is not ac' and predicate calculus} 

= (3a; • P A ac 7 ^ 0)[{z | z G ad A s.tr < z.tr}/ac'] 

{Assumption: x is not s and predicate calculus} 

= 3a; • (P A (ac' d 0)[{z | z G ac A s.tr < z.tr}/ac]) {Definition of RAl} 

= 3 x • RA1(P) 


□ 


Lemma L.G.l. 13 RAl (x G ac') = s.tr < x.tr A x £ ac' 


Proof. 


RAl (x G ac') {Definition of RAl (Lemma |L.G.l.l[ )} 

= (x G ac')[{z | z G ac' A s.tr < z.tr}/ad] A3 z • s.tr < z.tr A 2 G ac' 

{Substitution} 

= x G {z | z G ac' A s.tr < z.tr} A3 z • s.tr < z.tr A z & ac {Property of sets} 
= x G ac' A s.tr < x.fr A 3 z • s.tr < z.tr A z G ac' {Predicate calculus} 
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= x G ac' A s.tr < x.tr 


□ 


Lemma L.G.1.14 

RAl(s G ac ') = s G ac' 


Proof. 

RAl(s G ac') {Lemma IL. G. 1.1 31 } 

= s.tr < s.tr A s G ac’ {Property of sequences} 

= s G ac’ 


□ 


Lemma L.G.1.15 Provided c is a condition, 

RA1(P <3 c > Q) = RA1(P) <3 c > RA1(<5) 


Proof. 


RA1(P <3 c > Q) {Definition of conditional} 

= RAl((c A P) V (-i c A Q)) {Theorem IT. 5.2. 31} 


= RAl(c A P) V RAl(-i c A Q) 


{Assumption: 


c is a 


condition and Lemma L.G. 1.161 


= (c A RA1(P)) V (-i c A RA1(Q)) {Definition of conditional} 

= RA1(P) < c > RA1(<5) 


a 


Lemma L.G.1.16 Provided ac’ is not free in P, 
RA1 (P A Q) = P A RA1(Q) 


Proof. 

RA1 (P A Q) 


{Definition of RA1 (Lemma L.G.1.1)} 
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= (P A Q)[{z | z G ac' A s.tr < z.tr}/ac'} A3 z • s.tr < z.tr A z £ ac' 

{Substitution: ac' not free in P} 


= P A Q[{z | 2 G ac' A s.tr < z.tr}/ac'] A 3 z • s.tr < z.tr A z G ac' 

{Definition of RA1 (Lemma L.G.1.1)} 

= P A RA1(Q) 


□ 


Lemma L. G.l. 17 RAl(-> ofc) = ^ ok A RA1( true) 


Proof. 


RAl(-i ofc) 
= h ofc)[{z 


{Definition of RA1 (Lemma L.G.1.1)} 

z £ ac' A s.tr < z.tr}/ac '] A 3z • s.tr < z.tr A z G ac' 


{Substitution} 

= -i ok A 3 z • s.tr < z.tr A z G ac' {Lemma IL.G.l.lOl } 

= -i ok A RA1 (true) 


□ 


Lemma L. G.l. 18 

RAl(-i P f f h Pj) = RAl(-i (Pj A ac' ± 0) h P) A ac' + 0) 


Proof. 


RAl(-i P f f h Pj) {Definition of RA1} 

= ((-i Pj b Pj ) A ac' 7 ^ 0)[S'tates ir < tr ./(s) fl ac'/ac'} {Definition of design} 

= (((ok A -i Pj) =>• (Pj A ofc')) A ac' 7 ^ $)[Statestr<tr '( s ) H ac'/ac'} 

{Predicate calculus} 

= ((-i ofc V Pj V (Pj A ofc')) A ac' 7 ^ 0)[S'tates tr .< ir /(s) fl ac'/ac'} 

{Predicate calculus} 


^ / -i ok V (Pj A ac' 7 ^ 0) ^ 
V 

y \ (Pj A ac' 7 ^ 0 A o/j') / 


\ 


A ac' 7 ^ 


[States tr <tr'(s) D ac'/ac'} 


{Predicate calculus} 
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/ f (ok A (Pj A ad d 0)) \ 

\ 


A ad d 0 

V V (Pj A ac’d 0 A ok’) j 

/ 


[. States tr <tr'(s ) fl ac'/ad] 


{Definition of design} 


= ((-i ( Pj A ac d 0) d Pj A ad 7 ^ 0) A ad d $)[States tr <tr '( s ) G ad / ad] 


{Definition of RA1} 


= RAl(-i (P f f A ad d 0) I- Pj A ad d 0) 


0 


Lemma L.G.1.19 Provided ad is not free in P, 
RA1(P) — P A RAl(frae) 


Proof. 

RA1 (P) 

= RA1(P A true) 
= P A RAl(fnxe) 


{Predicate calculus} 
{Assumption: ac' not free in P and Lemma L.G.1.16} 


L.G.1.16 


□ 


Lemma L.G.1.20 RA1(P h Q) = RA1(P h RA1(Q)) 


Proof. 

RA1 (P h Q) 

= RAl((oA; A P) =>(Q A oh!)) 

= RA1(— 1 ok V — 1 -P V (Q A oA/)) 

= RAl(-i ok V — 1 P V RA1(Q A oA/)) 

= RAl(-i oA; V P V (RA1(Q) A otf)) 
= RAl((oA; AP) A (RA1(<5) A oA/)) 

= RA1(P h RA1(Q)) 


{Definition of design} 
{Predicate calculus} 
{Theorems IT. 5.2. 31 and IT. G.1.11} 
{Lemma IL.G.1.161 } 
{Predicate calculus} 
{Definition of design} 


n 
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Lemma L.G.l.21 Provided P is PBMH -healthy, 
RA1(P) =7 P 


Proof. 


RA1(P) {Definition of RA1 and Lemma IL.G.l.lOl } 

= P[Statestr<tr'{s) D ad/ac'] A RAl (true) {Predicate calculus} 

P[States tr <tr'{s ) D ad/ad] 


{Assumption: P is PBMH-healthy (Lemma L.4.2.1)} 
= (3 aco • P[aco/ac'] A aco C ad)[States tr <tr '( s ) D ad / ad] {Substitution} 

= 3 aco • P[aco/ac'] A aco C States tr <tr '( s ) fl ad {Property of sets} 

= 3 aco • P[aco/ad] A aco C Statest r <tr’(s ) A aco C ad {Predicate calculus} 

=>■ 3 aco • P[aco/ad] A aco C ad {Lemma IL.d.2.11} 

= PBMH(P) {Assumption: P is PBMH-healthy} 

= P 


□ 

Lemma L.G.l.22 RAl(oc 7 7 ^ 0) = RAl (true) 

Proof. 

RAl (ac 7 d 0) {Definition of RAl} 

= (ad d 0 A ac' d ®)[States tr < tr >(s ) fl ad/ad] {Predicate calculus} 

= (true A ad d $)[States tr <tr '( s ) G adjad] {Definition of RAl} 

= RAl (true) 


□ 


Lemma L.G.1.23 RA 1 (P h Q) = RA1(^ RA1(^ P) h Q) 

Proof. 


RAl (P h Q) 

= RAl((ofc A P) => (Q A ok')) 

= RA1 (—1 ok V -1 P V (Q A ok')) 

= RAl(-i ok) V RAl(-i P) V RA1(<5 A ok') 


{Definition of design} 
{Predicate calculus} 
{Theorem IT. 5.2. 31} 
{Theorem IT. G.l. 11} 
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= RAl(-i ok) V RA1 o RAl(-< P) V RA1(Q A ok') 

= RAl(—i ok V RAl(—i P ) V ( Q A ok')) 

= RA1 ((ok A RAl(-i P)) => (Q A ok')) 

= RAl(-i RAl(-i P) h Q) 

□ 


{Theorem IT. 5.2. 31} 
{Predicate calculus} 
{Definition of design} 


G.1.4 Substitution Properties 

Lemma L.G.1.24 RA1(P)° = RA1(P°) 

Proof. 

RA1(P)° {Definition of RAt} 

= ((P A ac' 7 ^ 0)[{z | z G ad A s.tr < z.tr} / ac'])° w {Substitution abbreviation} 

= ((P A ac' 7 ^ 0)[{z | z G ac' A s.tr < 2 .tr}/ac'])[o, s © {wait i-A w}/oP, s] 

{Substitution} 

= (P[o, s © {wait t-G w}/oP, s] A ac' 7 ^ 0)[{z | z G ac' A (s © {wait i-)- w}).tr < z.tr}/ac'] 

{Property of ©} 

= (P[o, sffi {wait t-)- w}/ok', s] A ac' 7 ^ 0)[{z | 2 G ac' A s.tr < z.tr}/ac '] 

{Substitution abbreviation} 

= (P° A ac' 7 ^ 0)[{z | 2 G ac' A s.tr < 2 .tr}/ac'] {Definition of RA1} 

= RA1(P°) 


□ 


G.1.5 Properties with respect to 

Theorem T.G.1.3 

RA1(true) (P V Q) = (RAl (true) ; A P) V (RAl(tr«e) ; A Q) 


Proof. 


RAl (true) j A (P V Q) 

= (3 z • s.tr < z.tr A z G ac') ^ (P V Q) 
— 3 z • s.tr < z.tr A 2 G {s | P V Q} 

= 3 z • s.tr < z.tr A ( P[z/s] V Q[z/ s]) 


{Definition of RAl (Lemma L.G.1.10)} 
{Definition of ] A and substitution} 
{Property of sets} 
{Predicate calculus} 
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(3z • s.tr < z.tr A P[z/s\) V (3 z • s.tr < z.tr A Q[z/s\) {Property of sets} 

(3 z • s.tr < z.tr A z 6 {s | P}) V (3 z • s.tr < z.tr A z G {s | Q}) 

{Definition of ] A and substitution} 

((3 z • s.tr < z.tr A z G ac') ^ P) V ((3 z • s.tr < z.tr Az6 ac') <J) 

{Definition of RA1 (Lemma [D GXIo| } 

(RAl(irae) ] A P ) V (RAl(fn/e) ] A Q) 


□ 


Theorem T.G.1.4 Provided ac' is not free in P, 


RA1(P) ; A (QV R) = (RA1(P) ; A Q) V (RA1(P) ; A R) 


Proof. 


RA1(P) (Q V R) 

= RA1(P A true) ] A (Q\I R) 


{Predicate calculus} 


{Assumption: ac' not free in P and Lemma L.G.1.16} 


— (PA RAl (true)) ; A (Q V R ) 

= (P ; A (Q V R)) A (RAl (true) ; A (Q V R)) 

= P A (RAl(irae) (Q V 72)) 

— P A ((RAl(fnxe) Q) V (RAl(irae) 72)) 

= (P A (RAl (true) ] A Q)) V (P A (RAl(frae) 72)) 

= ((P ; A Q ) A (RAl(irae) <£)) V ((P P) A (RAl(irae) 72)) 

{Lemma IL.F.1.51} 


{Lemma IL.F.1.51} 
{Lemma IL.F.l.ll} 
{Theorem IT. G.l. 31} 
{Predicate calculus} 
{Lemma IL.F.l.ll} 


= ((P A RAl (true)) ] A Q ) V ((P A RAl (true)) ] A R) 

{Assumption: ac' not free in P and Lemma [L.G.1.16 } 

= (RA1(P A true ) ] A Q) V (RA1(P A true) ] A R) {Predicate calculus} 

= (RA1(P) ^ Q) V (RAl(P) U R) 


□ 


Theorem T.G.1.5 Provided P is PBMH -healthy, 


(P ; A RAl (true)) V (P ; A RA1(Q)) 
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(P RA1 (true)) 


Proof. 


( P ] A RA1 (true)) V (. P ] A RA1(Q)) 

{Assumption: P is PBMH-healthy and Lemma L.F.2.1 [ 

= ((P ] A RAl (true)) V (P j A RA1(Q))) A (P j A (RA1 (true) V RA1(Q)) 

{Theorem IT. 5.2. 31} 

= ((P ] A RAl(irae)) V (P ] A RA1(<5))) A (P \ A RAl (true V Q)) 

{Predicate calculus} 

= ((P ] A RAl(irae)) V (P \ A RA1(<5))) A (P \ A RAl (true)) 

{Predicate calculus: absorption law} 

= P ] A RAl (true) 


□ 


Lemma L.G.1.25 RAl (true) ; A true 


Proof. 


RAl (true) ] A true 
= (3 z • s.tr < z.tr A z G ac') ] A true 
= 3 z • s.tr < z.tr A z G {s | true} 

= 3 z • s.tr < z.tr A true 
= 3 z • s.tr < z.tr 
= true 


{Lemma IL.G. 1.1(3 } 
{Definition of ] A and substitution} 
{Property of sets} 
{Predicate calculus} 
{Predicate calculus} 


a 


Lemma L.G.1.26 

RAl (true) ; A (s.wait A -> ok A RAl(i™e)) = -> ok A RAl(true) 







G.l. RA1 


507 


Proof. 

RAl(frrte) ] A ( s.wait A -> ok A RAl(irue)) 


= {3z* 
= 3z* 

= 3z* 

= -i ok 

= -i ok 

= -i ok 

= -i ok 

= -i ok 
= -i ok 
= -i ofc 
= -i ok 
= -i ok 


{Definition of RA1 (Lemma L.G.l. 10)} 

► s.tr < z.tr A z G ac') ( s.wait A ^ ok A RA1 (true)) 

{Definition of ] A and substitution} 

s.tr < z.tr A z e {s | s.wait A -> ok A RA1 (true)} 

{Property of sets and substitution} 

s.tr < z.tr A z.wait A -> ok A RA1 (true)[z/s\ 

{Predicate calculus: quantifier scope} 

A 3 z • s.tr < z.tr A z.wait A RA1 (true)[z/s\ 


{Definition of RA1 (Lemma L.G.l. 10)} 

A 3 z • s.tr < z.tr A z.wait A (3 y • z.tr < y.tr A y G ac') 

{Introduce fresh variables} 

( s.tr <t Aw \ 


A 3 z,w,t, o 


A 3 z,w,t, o 


A 

t = z.tr A w = z.wait 
A 


\ (3 y • t < y.tr A y G ac') ) 

( s.tr < t A w \ 

A 

z = o © {tr i —> t, wait t—)■ w} 

A 


{Property of records} 


{One-point rule} 


\ (3 y • t < y.tr A y G ac') ) 

A 3 w, t • s.tr < t A w A (3 y • t < y.tr A y G ac') {Predicate calculus} 
A 3 w, t, y • s.tr < t A t < y.tr A y e ac' A w {One-point rule} 

A 3 t, y • s.tr < t A t < y.tr A y G ac' {Property of sets} 

A 3 y • s.tr < y.tr A y € ac! {Definition of RA1 (Lemma |L.G. 1.10 )} 
A RA1 (true) 


□ 
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Lemma L.G.1.27 Provided P is RA3 and RA1 -healthy, 
RAl(-i ok) ; A P = RAl(-i ok) 


Proof. 


{Lemma IL.G. 1.161 } 
{Lemma IL.F.1.51) 
{Lemma IL.F.l.ll) 


RAl(-i ok) ] A P 
= (-1 ok A RA1 (true)) ' :A P 
= (-i ok ] A P) A (RAl(frae) ] A P) 

= -i ok A (RAl(frue) ] A P) 

{Assumption: P is RAl-healthy and Lemma L.G.1.32 } 
= -i ok A RA1 (true) A (RAl(frue) ] A P) {Assumption: P is RA3-healthy} 

— ^ ok A RA1 (true) A (RAl(irae) ', A (H RAD < s.wait > P)) 

{Definition of conditional and Hrad} 

/ / ( s.wait A RAl(-i ok)) \ \ 


= ^ ok A THAI (true) 


RA1 (true) ; 


A 


V 


(s.wait A ok' A s E ac') 


V 


\ (-■ s.wait A P) 






{Theorem IT. G. 1.41} 


= -i ok A RAl(fnxe) A 


= ^ ok A RA1( true) A 


^ (RAl(ir«e) (s.wait A RAl(-i ofc))) \ 

V 

(RAl(true) (s.wait A ok' A s E ac.)) 

V 

\ (RAl(frae) (-> s.wait A P)) J 

{Predicate calculus and Lemma fL. G. 1.161 } 

( (RA1 (true) ] A (s.wait A -> ok A RAl(frue))) \ 

V 

(RAl(irae) j A (s.wait A ok' A s G ac')) 

V 

Y (RAl(frae) (-> s.wait A P)) / 

{Lemma IL.G. 1.261 } 
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( (-< ok A RA1 (true)) ^ 

V 


= -* ok A RAl(trae) A 


(RAl(in/e) ;_4 ( s.wait A oA;' A s G ac')) 
V 


\ (RAl(Arae) ] A (-> s.wait A P)) / 

{Predicate calculus: absorption law} 

= -i ok A RAl(lnie) {Lemma IL.G. 1.161 } 

= RAl(-i oA; A true) {Predicate calculus} 

= RAl(-i ok) 


□ 


Lemma L.G.l.28 RAl(frue) j A RA1 (true) = RAl(irae) 

Proof. 

RA1 (true) ; A RA1 (true) {Lemma IL.G.l.lOl } 

= (3 z • s.tr < z.tr A ac') ] A (3 z • s.tr < z.tr A z G ac') {Definition of ] A } 
= (3 z • s.tr < z.tr A z G ac')[{s | 3 z • s.tr < z.tr A z G ac'}/ac'] 

{Substitution} 

= 3 z • s.tr < z.tr A z G {s | 3 z • s.tr < z.tr A z E ac'} {Variable renaming} 
= 3 z • s.tr < z.tr A z G {s | 3 y • s.tr < y.tr A y G ac'} {Property of sets} 

= 3 z • s.tr < z.tr A (3 y • z.tr < y.tr A y G ac') {Predicate calculus} 

= 3 z,y • s.tr < z.tr A z.tr < y.tr A y G ac 1 

{Transitivity of sequence prefixing} 
= 3 y • s.tr < y.tr A y G ac' {Lemma IL.G. 1.1 01 } 

= RAl(tnxe) 


□ 


Lemma L. G.l. 29 Provided ac' is not free in P, 
RA1(P) ; A RAl(true) = RAl(P) 


Proof. 


RA1(P) j A RA1 (true) 


{Assumption: ac' not free in P and Lemma L.G.1.19} 
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— (PA RA1 (true)) \ A RAl (true) {Distributivity of 

= (P ; A RAl (true)) A (RAl (true) \ A RAl (true)) 

{Property of ] A when ac' not free} 

— P A (RAl(hiie) ; A RAl (true)) {Lemma IL.G. 1.281 } 

= P A RAl (true) {Lemma IL.G.1.161 } 

= RA1(P A true) {Predicate calculus} 

= RA1(P) 


□ 


Lemma L.G.1.30 Provided P is PBMH -healthy, 
RA1(P) ; A RAl (true) => RA1(P) j A true 


Proof. 


RA1(P) ; A RAl (true) 


{Assumption: P is PBMH-healthy and Theorem T.5.2.5 and Lemma L.G.1.31} 


RA1(P) true 


□ 


Lemma L.G.1.31 Provided P is PBMH -healthy, 
p >’ A Q => P I A true 


Proof. 

P ; A Q {Predicate calculus} 

= P ] A (Q A true) {Assumption: P is PBMH-healthy and Lemma [L.F.1.6|{ 
(P ] A Q) A (P ] A true) {Predicate calculus} 

=>■ (P ] A true) 


□ 


Lemma L.G.1.32 RAl (true) ,' A RA1(P) =>- RAl (true) 
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Proof. 

RA1 (true) ] A RA1(P) {Definition of RA1} 

= RAl(irae) \ A ( P[States tT <t r '(s ) H ac' / ac'} A RAl(im)) {Lemma IL.F. 1.61} 

=>• RA1 (true) \ A RA1 (true) {Lemma IL.G. 1 .281 } 

= RA1 (true) 


□ 


G.l.6 Properties with respect to RA2 
Lemma L.G.l.33 
RA1 o RA2(P) 


RA2(P) A 3 z • s.tr < z.tr A z G ac' 


Proof. 


RA1 o RA2(P) 

= RA2 (P)[{z | 


{Definition of RA1 (Lemma L.G.1.1)} 

z G ac' A s.tr < z.tr} fad) A3 z • s.tr < z.tr A z e ac' 

{Lemma IL.G. 1.341 } 


= RA2(P) A 3 z • s.tr < z.tr A z 6 ac' 


□ 


Lemma L.G.l.34 

RA2(D)[{^ | z G ac' A s.tr < z.tr}fad) = RA2(P) 


Proof. 

RA2(P)[{z | 2 € ac' A s.tr < z.tr}/ad] {Definition of RA2} 

[s © {tr i—^ ()}, {z | z G ad A s.tr < z.tr • z © {tr i—)■ z.tr — s.tr}}/s, ad) 

[{z | z € ac' A s.tr < z.tr}/ad] 
{Substitution} 










512 


APPENDIX G. REACTIVE ANGELIC DESIGNS (RADj 


= P 


= P 


s ® {tr i-s- ()}, < z 


s © {tr ()}, < z 


/s, ac' 


/ s, ac 


z G {z | z G ac' A s.tr < z.tr} A s.tr < z.tr 

• z © {tr i ^ z.tr — s.tr} 

{Property of sets} 

z E ac' A s.tr < z.tr A s.tr < z.tr 

• z © {tr (->■ z.tr — s.tr} 

{Predicate calculus} 

= P[s © {tr i—>■ ()}, {z | z E ac A s.tr < z.tr • z © {tr (->■ z.tr — s.tr}}/s, ac'] 

{Definition of RA2} 

= RA2(P) 


□ 


Lemma L.G.1.35 RA1(P) RAl(irae) 

Proof. 

{Predicate calculus} 
{Theorem IT. 5.2. 21} 
{Predicate calculus} 


RA1(P) 

= RA1(P A true ) 

= RA1(P) A RA1 (true) 
=> RAl (true) 


□ 


Lemma L.G.1.36 RAl o RA2(P) =>- RAl (true) 

Proof. 

{Lemma IL.G.1.331 } 
{Predicate calculus} 


RAl o RA2(P) 

= RA2(P) A RAl (true) 
==>• RAl (trite) 


□ 


G.1.7 Properties with respect to PBMH 
Theorem T.G.1.6 RA o A (P) = RA o PBMH(P) 

Proof. 


RA o A (P) 


{Definition of RA and A} 
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= RA3 o RA2 o RA1 o AO o A1(P) {A1 is PBMH} 

= RA3 o RA2 o RA1 o AO o PBMH(P) {Theorem IT.5.2. 11 } 

= RA3 o RA2 o RA1 o PBMH(P) {Definition of RA} 

= RA o PBMH(P) 


□ 


Lemma L.G.l.37 Provided P is PBMH -healthy, 

RA1(P) = PBMH(P A ac' 7 ^ 0 A ac' C States tr <tr' (s)) 


Proof. 


RA1(P) {Definition of RA1 (Lemma L.G.l.2)} 

= (PA ac' 7 ^ ®)[States tr < tr >(s ) D ac' / ac'} {Assumption: P is PBMH-healthy} 
= (PBMH(P) A ac' 7 ^ ®)[States tr <tr'(s ) fl ac' / ac'} 


{ac' 7 ^ 0 is PBMH-healthy and closure (Theorem T.E.3.1)} 

= PBMH(PBMH(P) A ac' 7 ^ $){States tr <tr'(s ) fl ac'/ac'} 

{Assumption: P is PBMH-healthy} 

= PBMH(P A ac' 7 ^ $)[States t r<tr'(s) fl ac'/ac'} 


{Definition of PBMH (Lemma L.4.2.1)} 
= (3 ac 0 • P[ac 0 /ac'} A ac 0 ^ 0 A ac 0 C ac')[States tr < tr ’(s ) fl ac' / ac'} 

{Substitution} 

= 3 ac 0 • P[ac 0 /ac'} A ac 0 ^ 0 A ac 0 C (States tr <tr' ( s ) H ac') {Property of sets} 
= 3 aco • P[aco/ac'] A aco ^ 0 A aco C States tr <tr' (s) A aco C ac 

{Substitution} 

= 3 aco • (P A ac / 0 A ac' C 5'tates ir < ir '(s))[aco/ac / ] A aco C ac 


{Definition of PBMH (Lemma L.4.2.1)} 
= PBMH(P A ac' ^ 0 A ac 7 C States tr <tr' (s)) 


□ 


Lemma L.G.l.38 

PBMH(P A ac' 7 ^ 0 A ac' C States tr <tr' (s)) =>• ac' fl States tr <tr' (s) 7 ^ 0 
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Proof. 


PBMH(P A ad 7 ^ 0 A ad C States tr <t r ' (s)) 

{Definition of PBMH (Lemma L.4.2.1)} 

= 3 ac 0 • (P A ac' / 0 A ad C S'taieSi r <f r /(s))[aco/ac'] A ac 0 C ac' 

{Substitution} 

= 3 ac 0 • P[ac 0 /ac'] A ac 0 ^ 0 A ac 0 C States tr < tr >(s ) A ac 0 C ad 

{Property of sets} 

= 3 ac 0 • P[ac 0 /ac'] A ac 0 ^ 0 A ac 0 C ( States tr < tr '(s ) fl ac') {Property of sets} 

= 3 ac 0 • _P[ac 0 /ac'] A ac 0 ^ 0 A ac 0 C ( States tr <tr'{s ) fl ac') A States tr < tr >(s ) fl ad 7 ^ 

{Predicate calculus} 

=>■ States tr <tr'{s ) fl ac' 7 ^ 0 


□ 


Lemma L.G.1.39 

ad fl States tr <tr'{s ) 7 ^ 0 PBMH(P A ad 7 ^ 0 A ac' C States tr <tr'{s )) 
ac' fl States tr <tr'(s ) 7 ^ 0 


Proof. 

ad fl States t r<tr'{s) 7 ^ 0 PBMH(P A ad 7 ^ 0 A ac' C States tr <tr' (s)) 


{Property of sets} 

= (3 z • z G States tr <tr'{s ) A z G ac') PBMH(P A ac' ^ 0 A ad C States tr <tr'(s)) 

{Property of sets and definition of S'tatest r .< tr -/(s)} 

= (3 z • s.tr < z.tr A z G ac') PBMH(P A ad 7 ^ 0 A ac' C States tr <tr'{s )) 

{Definition of and substitution} 

= (3 z • s.tr < z.tr A z G {s | PBMH(P A ad 7 ^ 0 A ac' C S'fates ir <t r /(s))} 

{Variable renaming and property of sets} 

= (3 z • s.tr < z.tr A PBMH(P A ac' ^ 0 A ac' C S'fatest r < ir ./(s))[z/s] 

{Lemma IL.G. 1.381 } 
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= 3z 


/ s.tr < z.tr 
A 

/ PBMH(P A ac' 7 ^ 0 A ac' C States tr <tr'(s)) \ 


\ 


V 


A 


\ ac' D States tr <tr' (s) 7 ^ 


z/s 


/ 


/ 


{Substitution} 


= 3z 


( s.tr < z.tr 
A 

/ PBMH(P A ac' 7 ^ 0 A ac' C .States^ £ r /(s))[z/s] \ 


\ 


V 


A 


y 


y 


\ ac' fl States tr <tr'{z ) 7 ^ 0 

{Predicate calculus} 
/ 3 z • s.tr < z.tr A PBMH(P A ac' 7 ^ 0 A ac' C S'tates tr < ir '(s))[z/s] \ 


A 


\ 3 z • s.tr < z.tr A ac' fl States tr <tr'(z) 7 ^ 


/ 

{Predicate calculus} 


^ 3 z • s.tr < z.tr A ac' fl States tr <tr'(z ) 7 ^ 0 

{Property of sets and definition of States tr <tr'} 

= 3z • s.tr < z.tr A (3y • z.tr < y.tr A y E ac') {Predicate calculus} 

= 3 z,y • s.tr < z.tr A z.tr < y.tr A y G ac 

{Predicate calculus and transitivity of sequence prefixing} 

= 3 y • s.tr < y.tr A y G ac' {Property of sets and definition of States tr <tr'} 

= ac' fl States tr <tr'(s ) 7 ^ 0 


□ 


G.l.8 Properties with respect to A2 

Lemma L. G.l. 40 
RA1 o A2(P) 

( (i 3 [ 0 /oc']) \ 

V 

\ (3 y • P[{y}/ac'} A s.tr < y.tr A y G ac') J 


RA1 (true) A 
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Proof. 


RA1 o A2 (P) {Theorem IT .4.2. ill } 

= RAl(P[0/ac'] V (3 y • P[{y}/ac'} A ye ac')) {Theorem IT.5.2.31} 

= RAl(P[0/ac']) V RA1(3 y • P[{y}/ac'] A s.tr < y.tr Aye ac')) 

{Lemma IL.G.1.51} 

= RA1(P[0/ac']) V (3 y • P[{y}/ac'] A s.tr < y.tr A y e ac')) 

{Lemma IL.G.1.161 } 


= (RA1 (true) A P[0/ac']) V (3 y • P[{y}/ac'] A s.tr < y.tr Aye ac')) 

{Predicate calculus} 

/ (RAl(htte) A PfD/ac'}) \ 

= V 

^ ((3?/ • P[{y}/ac'] A s.tr < y.tr Aye ac') A RAl (true)) ) 

{Predicate calculus and Lemma IL.G. 1.101} 

/ (P[0/ac']) \ 


= RAl (true) A 


V 


\ (3 y • P[{y}/ac'} A s.tr < y.tr Aye ac') ) 


□ 


Theorem T.G.1.7 A2 o RAl o A2 (P) = RAl o A2(P) 


Proof. 


A2 o RAl o A2(P) {Theorem IT.4.2.1H } 

/ (RAl oA2(P))[0/ac'] \ 

= V 

\ (3 z • (RAl o A2(P))[{z}/ac'] A z e ac') J 


{Lemma IL.G.1.401 } 
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/ 

( 

( (P[®/ad}) \ 

\ 

\ 


RA1 (true) A 

V 


[0/ ac’} 



\ (3 y • P[{y}/ad) A s.tr < y.tr Aye ad) / 

) 



V 


/ l RA1 (t rue) 

A 

3 z* / (P[0/ac']) 


V 


\ 


V 




V 


\ (3 y • R[{ 2 /}/ac'] A s.tr < y.tr A y & ad) ) 


\ 


/ 


[{z}/ac'] A z £ ad 


{Substitution} 


/ 

( 

f (P[0/ ad}) \ 

\ 

\ 


RAl(true)[0/ac'] A 

V 

[0/ ad] 




\ (3 y • P[{y}/ac' ] A s.tr < y.tr Aye ad) / 

) 



V 


/ RAl(trae)[{z}/ac / ] 


3z 


A 


\ 


/ (P[0/ac']) 

V 

^ (3 y • P[{y}/ad] A s.tr < y.tr Aye {z}) ) 


\ 


A z e ad 






/ RA1 (true)[{z}/ad\ 


3 2 


{Lemma L.G.1.3 and predicate calculus} 

\ \ 


A 


\ 


/ (P[0/ ac']) 

V 

^ (3 y • P[{y}/ad] A s.tr < y.tr Aye {z }) J 


A z e ad 






l RAl(frue)[{z}/ac'] 


3z 


{Property of sets} 

\ \ 


A 


\ 


/ (P[0/ ad]) 

V 

\ (3 y • P[{y}/ac'} A s.tr < y.tr A y = z) J 


A z e ad 




{One-point rule} 
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( 

V 
( 

\ 

( 

\ 

( 

\ 

/ 

V 


/ RA1 {true)[{z} / ac'] 


3z 


\ 


A 


A z € ac' 


3 z 


(P[0/ ac'}) \ 

V 

\ \ (P[{z}/ac'] A s.tr < z.tr ) / J J 

( s.tr < z.tr \ \ 

A 

(P[0/ac']) \ A z e ac' 

V 

\ \ {P[{z}/ac'] A s.tr < z.tr ) ) ) ) 


(Lemma IL.G.1.41} 


(Predicate calculus} 


(3 z • s.tr < z.tr A P[0/ ac'] A z £ ac') ^ 

V 

(3 z • P[{z}/ac'] A s.tr < z.tr A z G ac') J 

(Predicate calculus and Lemma IL. G. 1.1 01 } 

(RAl (true) A P[0/ac']) ^ 

V 

(3 z • P[{z}/ac'] A s.tr < z.tr A z G ac') J 

(Predicate calculus and Lemma lL. G. 1.1OT } 

(RAl (true) A P[0/ac']) ^ 

V 

(3 z • P[{z}/ac’] A s.tr < z.tr A z E ac' A RAl (true)) J 

(Predicate calculus} 


= RAl (trite) A 


( PWac’] \ 

V 

\ (3z • P[{z}/ac'] A s.tr < z.tr A z E ac') ) 

(Lemma IL.G. 1 .4(3 } 


= RAl o A2 (P) 


□ 
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G.2 RA2 


G.2.1 Definition 


Definition 11 101 


RA2(P) = P 


s ffi {tr i->- ()}, 



z E ac' A s.tr < z.tr 
• z ® {tr z.tr — s.tr} 



ac' 


G.2.2 Properties 

Theorem T.5.2.6 RA2(P A Q) = RA2 (P) A RA2(Q) 


Proof. 


RA2(P A Q) {Definition of RA2} 

s ffi {tr i —y ()} / s 

{z \ z E ac' A s.tr < z.tr • z ® {tr (->• z.tr — s.tr}} / ac' 

{Property of substitution} 


= (P A Q) 


( 


P 

A 

Q 


s ffi {tr i-» ()} s 

{z | z G ac' A s.tr < z.tr • z © {tr i—)■ z.tr — s.tr}} / ac' 


\ 


s ffi {tr i —y ()} 

\ v {z | z G ac' A s.tr < z.tr • z ffi {tr t->- z.tr — s.tr}} / ac' / 

{Definition of RA2} 

= RA2(P) A RA2(Q) 


,□ 


Theorem T.5.2.7 RA2(P V Q) = RA2(P) V RA2(( t >) 


Proof. 


RA2(P V Q) {Definition of RA2} 

s ffi {tr i —y ()} / s 

{z | z 6 ac' A s.tr < z.tr • z ffi {tr i—>■ z.tr — s.tr}} / ac' 

{Property of substitution} 


= CP V Q) 
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/ 

P 

s © 

{tr ()} 



/ s 

\ 


. U 1 

z G ac' A s.tr < z.tr • 

z © {tr H- z.tr 

- s.tr}} j 

ac' 



V 








Q 

s © 

{tr ^ ()} 



/ s 


V 

>1 

z G ac' A s.tr < z.tr • 

z © {tr H- z.tr - 

- s.tr}} j 

ac! 

) 


{Definition of RA2} 


= RA2(P) V RA2(<2) 


□ 


Theorem T.5.2.8 Provided P and Q are RA2 -healthy, 
RA2 (P ; a Q) = P ; a Q 


Proof. 


RA2 (P ; a Q ) 

= RA2(RA2(P) RA2(<5)) 

( ( \ [s © {tr ()}/s] 


{Assumption: P and Q are RA2-healthy} 

{Lemma IL.G.2.171 } 


= RA2 


/ \ 
P 

\ ) 
( \ 
P 


\ 


P 

\ 


Q 


[( t@{tr ^ <)}/s] 

[{y \ y ® {tr ^ s -tr ^ t.tr ^ y.tr} G ac'}/ac'} 


ac 


Q 


ac 


\ 


{Definition of RA2 (Lemma L.G.2.1)} 

s ® {tr i — y ()}/s] 

[{t®{tr ^ <)}/s] 

[{y | y © {tr '-t s.tr ^ t.tr ^ y.tr} G ac'} / ac'} 

[s © {tr f-s- ()}, {y | y © {tr s.tr ^ y.tr} G ac'}/s, ac'} 

{Substitution} 

[s © {tr f-s- ()} © {tr (->• ()}/s] 

/ \ [(t © {tr ()}/s] 

y® {tr (s © {tr ()}).tr ^ t.tr ^ y.tr} } / 

G / / ac 

\ / LI {y I V® {tr ^ s.tr ^ y.tr} G ac'} ) ' 

{Variable renaming, property of © and value of record component tr} 


Q 
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( \ [s © {tr i-g Q}/s] 

^ \ [{t © {tr 


P 


\ 


Q 

V 


y © {tr i —y () ^ t.tr ^ y.tr} 


ac 


> ac 


{z | z © {tr (-)■ s.tr ^ z.tr} G ac'} 

{Property of sequences} 

^ ^ [s © {tr i-G ()}/s] 

^ ^ [{t ffi {tr 

y ffi {tr i—> t.tr ^ y.tr} 


P 


\ 

( \ 
P 

\ ) 


Q 

\ J 

[s ffi {tr f-G <)}/s] 


ac 


> ac 


{z \ z (B {tr i ^ s.tr ^ z.tr} G ac'} 

{Property of sets, ffi and value of record component tr} 



[(t ffi {tr i-G ()}/s] 


ac 


y ffi {tr H- s.tr ^ t.tr ^ y.tr} G ac' jy ac' 

{Lemma IL.G.2.171 } 

= RA2(P) RA2(Q) {Assumption: P and Q are RA2-healthy} 

= P\aQ 


□ 


Theorem T.5.2.9 RA2(ac' 7 ^ 0) = RAl(frne) 

Proof. 

RA2(ac / 7 ^ 0) {Definition of RA2} 

= ( ac' 7 ^ 0)[s ffi {tr i-G (), {z | z G ac' A s.tr < z.tr • z ffi {tr f-G z.tr — s.tr}}/s, ac'] 

{Substitution} 

= {z | z G ac' A s.tr < z.tr • z ffi {tr 1 —> z.tr — s.tr}} 7 ^ 0 {Property of sets} 

= 3 y • y G {z | z G ac' A s.tr < z.tr • z ffi {tr i-A z.tr — s.tr}} {Property of sets} 
= 3 y, z • z G ac' A s.tr < z.tr A y = z ® {tr 1 —> z.tr — s.tr} {One-point rule} 
= 3 z • z G ac' A s.tr < z.tr {Le mm a IL.G.l.lOl } 

= RAl(fnie) 


□ 
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Theorem T.5.2.10 RA2 o RA1(P) = RA1 o RA 2 (P) 


Proof. 


RA2 o RA1(P) {Definition of RA2} 

= RAl(P)[s © {tr i-4 ()}, {z | z G ad A s.tr < z.tr • z © {tr t-4 z.tr — s.tr}}/s, ac'] 

{Definition of RA1} 


= P A ac' ± 0 


[{z | z G ac’ A s.tr < z.tr}/ac '] 

[s © {tr i-4 ()}, {z | z G ac' A s.tr < z.tr • z © {tr i-4 z.tr — s.tr}}/s, 

{Substitution of s} 


( P[s © {tr Q}/s] 

A 

V ac' 7 ^ 0 / 


[{z | z G ac' A (s © {tr t-4 ()})-tr < z.tr}/ac'} 

[{z | z G ac' A s.tr < z.tr • z © {tr 1-4 z.tr — s.tr}}/ac'] 

{Value of state component tr} 


/ P[s © {tr i-4 ()}/s] ^ 
A 

\ ac' 0 / 


[{z | z G ac' A () < z.tr}/ac'] 

[{z | z G ac' A s.tr < z.tr • z © {tr i-4 z.tr — s.tr}}/ac'] 

{Property of sequence prefixing} 


P[s © {tr i-4 ()}/s] ^ 
A 

ac' 0 j 


[{z | z G ac'}/ac'] 

[{z | z G ac' A s.tr < z.tr 


( P[s © {tr i-4 ()}/s] ^ 
A 

y ac' 7 ^ 0 / 


[ac'/ac'] 

[{z | z G ac' A s.tr < z.tr 


z (B {tr z.tr — s.tr}}/ac] 
{Property of sets} 

z © {tr e4 z.tr — s.tr}}/ac'] 
{Property of substitution} 


( P\s © {tr i-4 ()}/s] \ 
A 

y ac' ^ 0 


[{z | z G ac' A s.tr < z.tr • z © {tr i-4 z.tr — s.tr}}/ac' 


{Substitution} 

/ P[s © {tr e4 ()}/s][{z | z G ac' A s.tr < z.tr • z © {tr i-4 z.tr — s.tr}}/ac'] \ 
A 

\ {z | z G ac' A s.tr < z.tr • z © {tr i-4 z.tr — s.tr}} 0 / 

{Property of sets} 
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/ .P[s© {tr (-)■ ()}/s][{z | z G ad A s.tr < z.tr • zffi {tr i-)- z.tr — s.tr}}/ad] ^ 
A 

\ 3 y, z • z G ad A s.tr < z.tr A y = z ® {tr H)■ 2 :.tr — s.ir} ) 

{One-point rule} 

P[s® {tr i->- ()}/s][{z | z G ac' A s.tr < z.tr • z@ {tr i-)- z.tr — s.tr}}/ac'} \ 


= A 


3 z • z G ac' A s.tr < z.tr 


{Property of sets} 


/ 


.P[s© {tr (-)• ()}/s] 


z E {z \ z e ac' A s.tr < z.tr} 

A s.tr < z.tr • z © {tr i—)■ z.tr — s.tr} 


j ad 


\ 


A 

y 3 z • z G ad A s.tr < z.tr 


( 


.Pfsffi {tr t-A ()}/s) 


{Property of substitution} 

z e ad 1 , / \ 

> / ac 

A s.tr < z.tr • z © {tr i —> z.tr — s.tr} j 

[{z | z € ad A s.tr < z.tr}/ad] 


A 


\ 3 z • z G ad A s.tr < z.tr 


/RA2 (P)[PUe ad A s.tr < z.tr} j ad] ^ 
A 

\ 3 z • z G ad A s.tr < z.tr 

RA1 o RA2(P) 


/ 

{Definition of RA2} 
{Lemma IL.G.l.ll} 


□ 


Theorem T.5.2.11 PBMH o RA2 o PBMH(P) = RA2 o PBMH(P) 


Proof. 


PBMH o RA2 o PBMH(P) {Definition of PBMH (Lemma IPX!] )} 

= PBMH o RA2(3 aco • P[aco/ac'] A aco C ad) {Definition of RA2} 



/ (3 ac 0 • P[ac 0 /ac'] A ac 0 C ad) 

\ 

PBMH 


s ffi {tr i —y Q } / s 



V 

{z | z € ac' A s.tr < z.tr • z © {tr i—> z.tr — s.tr}} / ac' 

/ 


{Substitution} 
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= PBMH 


3 ac 0 • P[ac 0 /ac'][s © {tr (->■ ()}/s] 

A aco C {z | z G ac' A s.tr < z.tr • z © {tr i— > z.tr — s.tr}} 

{Definition of PBMH (Lemma |L. 4.2. 3} 

/ 3 aci, aco • P[aco/ac'] [s © {tr i— > ()}/s] \ 

A aco C {z | z £ ac\ A s.tr < z.tr • z © {tr i— > z.tr — s.tr}} 

\ A aci C ac’ ) 

{Definition of subset inclusion} 

/ 3 aci, aco • P[aco/ac'] [s © {tr i— > ()}/s] \ 

A V x • x G ac 0 => a: e {z | z 6 aci A s.tr < z.tr • z ® {tr H- z.tr — s.tr}} 

\ A ac\ C ac' ) 

{Property of sets} 

/ 3 aci, ac 0 • P[ac 0 /ac'][s © {tr i—)■ ()}/s] \ 

AVi»i 6 aco =t3z»ze aci A s.tr < z.tr Ai = zffl {tr i->- z.tr — s.tr} 

\ A aci C ac' 

{Lemma IL.G.1.81} 

/ 3 aci, aco • P[aco/ac'][s © {tr i—)■ ()}/s] \ 

A V x • x e ac 0 x © {tr i— > s.tr ^ x.tr} G aci 
\ A aci C ac' / 


/ 


{Lemma IL.E.4.131 } 


\ 


{Lemma IL.G.1.81} 


( 3 ac 0 • P[ac 0 /ac'][s © {tr i—)■ ()}/s] 

A 

\ Vx • x G aco =>■ (a; © {tr i—)■ s.tr ^ x.tr}) e ac' / 

3 ac 0 • P[ac 0 /ac'][s © {tr i->- ()}/s] 

A V x • x G aco 3 z • z £ ac' A s.tr < z.tr A x = z © {tr i—)■ z.tr — s.tr} 

{Property of sets} 


^ 3 aco • P[aco/ac'][s © {tr i—)■ ()}/s] 




A 


\ ac 0 C {z | z 6 ac' A s.tr < z.tr • z © {tr (->• z.tr — s.tr}} J 


{Substitution} 

\ 


7 


/ (3 ac 0 • P[ac 0 /ac '] A ac 0 C ac') 

= s © {tr i-G ()} 

\ {z | z e ac' A s.tr < z.tr • z © {tr t—)■ z.tr — s.tr}} / ac' 

{Definition of RA2} 

= RA2(3 ac 0 • P[ac 0 /ac'] A ac 0 C ac') 

{Definition of PBMH (Lemma L.4.2.1)} 

= RA2 o PBMH (P) 
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□ 


Theorem T.G.2.1 RA2 o RA2(P) = RA2(P) 

Proof. 

RA2 o RA2(P) 


= P 


{Definition of RA2 twice} 


■ ( 

s © {tr i-> ()}) © {tr !->•()} 

s 


/ 

z ^ {z \ z E ac' f\ s.tr < z.tr • z © {tr ha z.tr — s.tr}} 

/ 

< 

z 

A (s © {tr ha ()}).tr < z.tr 

/ 


< 

• z © {tr ha z.tr — (s © {tr ha ()}).tr} 

ac' 


= P 


{Property of © and value of tr component} 

s © {tr i —y ()} / s 

z G {z | z G ac' A s.tr < z.tr • z © {tr ha z.tr — s.tr}} 


z © {tr ha z.tr — ()} 


ac 


= P 


{Property of sequence difference} 

s © {tr i —y ()} / s 

z G {z | z G ac' A s.tr < z.tr • z © {tr (->• z.tr — s.tr}} 

• z © {tr i —y z.tr} 


= P 


ac 

{Property of ©} 

s © {tr ()} / s 

{z | z G {z | z £ ac' A s.tr < z.tr • z © {tr i-> z.tr — s.tr}}} / ac' 

{Property of sets} 

= P[s © {tr (->• ()}, {z | z G ac' A s.tr < z.tr • z © {tr (->• z.tr — s.tr}}/s, ac'] 

{Definition of RA2} 

= RA2(P) 


□ 


Theorem T.G.2.2 RA2(P) C RA2(Q) 

Proof. 


RA2(<5) {Assumption: FC Q = [Q^P]} 

= RA2(Q A P) {Definition of RA2 and property of substitution} 

= RA2(<5) A RA2(P) {Predicate calculus} 

=> RA2(P) 
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□ 


G.2.3 Lemmas 

Lemma L.G.2.1 

RA2(P) = P[s © {tr i->- ()}, {y | y © {tr i-A s.tr ^ y.tr} G ac'}/s, ac'] 


Proof. 


= P 


= P 


s © {tr (->• ()}, y 


s © (tr f—>■ ()}, < y 


y e <z 


s, ac 


RA2(P) (Definition of RA2} 

= P[s © {tr i-> ()}, {z | z G ac A s.tr < z.tr • z © {tr H)■ z.tr — s.tr}}/s, ac'] 

(Property of sets} 

z G ac' A s.tr < z.tr 
• z (B {tr z.tr — s.tr } 

(Property of sets} 

3 2 • 2 G ac' A s.tr < z.tr 
A y = z (B {tr H>• z.tr — s.tr} 

(Lemma IL.G.1.81} 

= P[s © {tr i-G ()}, {y \ y (B {tr i-G s.tr ^ y.tr} G ac'}/s, ac'] 


s, ac 


□ 


Lemma L.G.2.2 RA2( true) = true 
Proof. 


RA2 (true) (Definition of RA2} 

= true[s © {tr H > ()}, {z | zG ac' A s.tr < z.tr • z © {tr (-)■ z.tr — s.tr}} / s, ac'] 

{Substitution} 


= true 


0 ; 


Lemma L.G.2.3 RA2(s G ac') = s G ac' 
Proof. 


RA2(s G ac') 


{Definition of RA2} 
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= (s G ac')[s © {tr hg ()}, {z \ z G ac' A s.tr < z.tr • z © {tr hg z.tr — s.tr}}/s, ac'] 

{Substitution} 

= s © {tr ig {)} G {z | z G ac' A sir < z.tr • z © {tr hg z.tr — s.tr}} 

{Property of sets} 

= 3 z • z G ac' A s.tr < z.tr A s (B {tr hg ()} = z ® {tr eA z.tr — s.tr}} 

{Property of ©} 

\ 

3 z • z G ac' A s.tr < z.tr 

A {tr} ^sU {tr hg ()} = {tr} ^zU {tr eG z.tr — s.tr} 

{Property of relations} 

3 z • z G ac' A s.tr < z.tr 

A {tr} <3 s = {tr} <3 z A {tr hg ()} = {tr hg z.tr — s.tr} 

{Property of relations} 

\ 

3 z • z G ac' A s.tr < z.tr 
A {tr} <3 s = {tr} <3 z A (} = z.tr — s.tr 

3 z • z G ac' A s.tr < z.tr 


{Property of sequences} 


A {tr} <3 s = {tr} ^zA z.tr = s.tr 
= 3 z • z G ac' A s.tr < z.tr A s = z 
= s G ac' A s.tr < s.tr 
= s G ac' 


{Property of relations} 

{One-point rule} 
{Property of sequences} 


□ 


Lemma L.G.2.4 Provided s and ac' are not free in P, RA2(P) = P. 


Proof. 


RA2(P) {Definition of RA2} 

= P[s © {tr G ()},{z | z G ac' A s.tr < z.tr • z © {tr hg z.tr — s.tr}}/s, ac'] 

{Assumption and substitution} 


= P 


□ 


Lemma L.G.2.5 


RA2(P <c> Q) = RA2 (P) < RA2(c) > RA2(<2) 
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Proof. 

RA2 (P< c > Q) {Definition of conditional} 

= RA2((c A P) V (-i c A Q)) {Theorem IT.5.2.71} 

= RA2(c A P) V RA2(-< c A Q) {Theorem IT. 5.2. 61} 

= (RA2(c) A RA2(P)) V (RA2(^ c) A RA2(<5)) {Lemma \LZL2J}s 

= (RA2(c) A RA2(P)) V (-> RA2(c) A RA2(<J)) {Definition of conditional} 
= RA2(P) < RA2(c) > RA2(Q) 


□ 


Lemma L.G.2.6 Provided c is RA2 -healthy, 
RA2(P < c > Q) = RA2(P) < c > RA2(Q) 


Proof. 

RA2(P <3 c > Q) {Lemma IL.G.2.5] } 

= RA2(P) <1 RA2(c) > RA2(Q) {Assumption: c is RA2-healthy} 

= RA2(P) < c> RA2(<5) 


□ 


Lemma L.G.2.7 RA2(-> P) = -> RA2(P) 


Proof. 


RA2(-t P ) {Definition of RA2} 

= (-i P)[s © {tr (->• ()}, {z | z G ad A s.tr < z.tr • z © {tr z.tr — s.tr}}/s, ac'] 

{Property of substitution} 

= -i P[s © {tr i—> ()}, {z | z G ac' A s.tr < z.tr • z ® {tr H- z.tr — s.tr}}/s, ac] 

{Definition of RA2} 


= RA2(P) 


□ 


Lemma L.G.2.8 Where c is not tr, RA2(s.c) = s.c 
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Proof. 

RA2(s.c) {Definition of RA2} 

= s.c[s © {tr !->■()}, {z | z G ac' A s.tr < z.tr • z © {tr i—> z.tr — s.tr}} / s^ ac'] 

{Substitution} 

= (s © {tr i-)- ()}).c {Property of ©} 

= s.c 


□ 


Lemma L.G.2.9 RA2(P A ac' 0) = RA2 o RA1(P) 


Proof. 

RA2(P A ac' ± 0) 

= RA2(P) A RA2(ac' ^ 0) 
= RA2(P) A RAl(true) 

= RA1 o RA2(P) 


{Theorem IT. 5.2. 61} 
{Theorem IT. 5.2. 91} 
{Lemmas IL.G.l.lOl and IL.G.1.331 } 


a 


Lemma L.G.2.10 


RA2 (P)[{y}/ac'] A s.tr < y.tr 


P[s © {tr t-A ()}, {y © {tr i->- y.tr — s.tr}}/s, ac'] A s.tr < y.tr 


Proof. 

RA2 (P)[{y}/ac] A s.tr < y.tr 

z G ac' A s.tr < z.tr 


{Definition of RA2} 


= P 


s © {tr 1 y ()}, < 2 : 


= P 


s © {tr H- ()}, { z 


z © {tr (->■ z.tr — s.tr} 

z G {y} A s.tr < z.tr 
• z © {tr z.tr — s.tr} 


s, ac 


s, ac 


[{y}/ac] A s.tr < y.tr 
{Substitution} 

A s.tr < y.tr 
{Property of sets} 
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= P 


s © {tr i-4 ()}, < z 


z — y A s.tr < z.tr 


z © {tr i-4 z.tr — s.tr } 


s, ac 


A s.tr < y.tr 

{Lemma IL.1.0.171} 

P[s © {tr i-4 ()}, {y © {tr e4 y.tr — s.tr}}/s, ac'] A s.tr < y.tr 


□ 


Lemma L.G.2.11 Provided ac' is not free in Q and P is PBMH -healthy, 
(DL'(RA1 ° RA2(P) A Q) 

P[s © {tr e4 ()}, {y © {tr e4 y.tr — s.tr}}/s, ac'] 

A s.tr < y.tr A Q A y G ac' 



Proof. 


(e)^ c ,(RAl o RA2(P) A Q ) {Definition of (&) y ac , (Lemma L.G.7.28)} 

= 3 y • (RA1 o RA2(P) A Q)[{y}/ac'] A y G ac' 

{Assumption: ac' is not free in Q and substitution} 

= 3 y • RA1 o RA2(P)[{?/} / ac'] A Q A y G ac' 

{Lemmas IL.G. 1.1(11 and IL.G. 1 .331 } 
= 3 y (RA2 (P) A RA1 ( true))[{y}/ac'] A Q A y G ac’ {Substitution} 

= 3 y • (RA2(P)[{?/}/ac / ] A RA1 {true)[{y}/ac']) A Q A y G ac' 

{Lemma IL.G.1.41} 

= 3 y • (RA2(P)[{^/ac'] A s.tr < y.tr) A Q A y G ac' {Lemma IL.G.2.101 } 

P[s © {tr h4 ()}, {y © {tr t-4 y.tr — s.tr}}/s, ac'] 


= 3 y 


A s.tr < y.tr A Q A y G ac' 


□ 


Lemma L.G.2.12 

RA2(x G ac') 

3 z • z E ac A s.tr < z.tr A x = z (B {tr i-4 z.tr — s.tr} 
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Proof. 


RA2(s e ac') 


= (x E ac') 


s © {tr (->■ ()}, 



z E ac' A s.tr < z.tr 
• z © {tr H)■ z.tr — s.tr} 


= x E {z \ z E ac' A s.tr < z.tr • z (B {tr H > z.tr — s.tr}} 
= 3 z • z E ac' A s.tr < z.tr A x = z © {tr H > z.tr — s.tr} 


{Definition of RA2} 

s, ac' 

{Substitution} 
{Property of sets} 


□ 


Lemma L.G.2.13 Provided ac' is not free in Q and P is PBMH -healthy, 
RA2((e); c ,(PA(?)) 


( P[s © {tr i-)- ()}/s] [{© {tr i-)- y.tr — s.tr}}/ac'] \ 


3 y 


A 

Q[s © {tr {)}/s][y © {tr i->- y.tr — s.tr}/y] 


A 

\ y E ac' A s.tr < y.tr 




Proof. 

RA2(©l,(P A Q)) 


{Assumption: P is PBMH-hcalthy and ac 1 is not free in Q} 
{Lemmas IL.E.4.51 and IL.G.7.281 and Theorem IT. E.3. 11} 

= RA2(3 y • (P A Q) [{y}/ac'] A y E ac') 

{Assumption: ac' not free in Q and substitution} 

= RA2(3 y • P[{y}/ac'] A Q A y E ac') {Lemma IL.G.7.191 } 

= 3 y • RA2(P[{ y}/ac'] A Q A y E ac') {Theorem IT.5.2.61} 

= 3 y • RA2 (P[{y}/ac']) A RA2(Q) A RA2(y E ac') {Lemma IL.G.7.211 } 

= 3 y • P[s © {tr i— )• ()}/ s][{?/} / ac'] A RA2(Q) A RA2(y E ac') 

{Lemma IL.G. 7.181 } 
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= 3 y • P[sffi {tr (->■ {)}/s][{y}/ac'} A RA2(<5) A RA2 (y e ac') 


= 3 y 


(Lemma IL.G.2.121 } 

/ P[s® {tr ()}/s][{ y}/ac'} A RA2(<5) ^ 

A 

\ 3 z • z G ac' A s.tr < z.tr A y = z (B {tr H)■ z.tr — s.tr} / 

(Predicate calculus} 

/ P[s © (tr i-)- ()}/s][{ y}/ac'} A RA2(<5) \ 


= 3 y,z 


A 


= 3z 


\ z E ac' A s.tr < z.tr A y = z ® {tr H>■ z.tr — s.tr} ) 


( P[s (B {tr i-» ()}/s][(z© (tr z.tr — s.tr}}/ac'} \ 
A 

RA2(<3)[z © {tr i—>■ z.tr — s.tr}/y\ 

A 

\ z G ac' A s.tr < z.tr 


(One-poiut rule} 


= 3z 


= 3 y 


(Assumption: ac' is not free in 0 and Lemma L.G.7.21 } 

( P[sffi {tr (->■ ()}/s][(z© {tr i-)- z.tr — s.tr}}/ac'} \ 

A 

Q[s © {tr i-)- ()}/s][z © {tr i->- z.tr — s.tr}/y} 

A 

\ z G ac' A s.tr < z.tr ) 

(Variable renaming z to y} 

( P[s © {tr i y ()}/s][{?/ © {tr i-A y.tr — s.tr}}/ac'} \ 

A 

Q[s © {tr i y ()}/s}[y © {tr y.tr - s.tr}/y} 

A 

\ y G ac' A s.tr < y.tr ) 


□ 


Theorem T.G.2.3 Provided ac' is not free in Q, P is PBMH -healthy, and 
Q = [s © {tr (-)■ ()}/s][ 2 / © {tr (->■ y.tr - s.tr}/y}, 

RA2((D1,U a Q)) 

(DL-(RA1 O RA2(.P) A Q) 
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Proof. 


RA2((D" c ,(P A Q')) {Assumption and Lemma L.G.2.13 } 

/ P[s © {tr (->• ()}/s][{ 2 / © {tr i->- y.tr — s.tr}}/ac'} \ 


= 3 y 


= 3 y 


A 

Q[s © {tr i-> ()}/s] [ 2 / © {tr 1 y y.tr — s.tr}/y ] 
A 

y y G ac! A s.tr < y.tr 




{Assumption on Q } 


/ P[s © {tr i-)- ()}/«][{?/ © {tr y.tr — s.tr}}/ac'} \ 
A 

\ Q A y e ac' A s.tr < y.tr ) 


{Lemma IL.G.2. lfl } 


= (DL'(RA1 o RA2(P) A Q) 


a 


G.2.4 Substitution Properties 
Lemma L.G.2.14 RA2(P)° = RA2(P°) 


Proof. 


RA2 (P)° w {Definition of RA2} 

= P[s © {tr i-> ()}, {z | 2 6 ac 1 A s.tr < z.tr • z © {tr i-> z.tr — s.tr}}/s, ac']° w 

{Substitution abbreviation} 

[s © {tr i-> ()}, {z | z G ac' A s.tr < z.tr • z © {tr 1 —» z.tr — s.tr}}/s, ac'] 
[ 0 , s © {wait 1 —^ w}/ok', s] 

{Substitution} 



/ \ 
P 

V / 


[ 0 /ok'] 

[s © {tr !->• ()}, {z | z G ac A s.tr < z.tr • z © {tr t->- z.tr 
[s © {wait i-> w}/s] 


s.tr}}/s, ac'] 


{Substitution} 
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/ \ 
P 

\ / 

/ \ 
P 

V / 

/ \ 
p 

V 

/ \ 
p 

V 


[ 0 /ok'} 

[s © {wait (->• w;} © {tr (->• ()}/s] 

{ zGflc'Asffi {wait 1 —» w;}.fr < z.tr 

• z © {tr (->• z.tr — s © {waii (->• 7c}.tr} 

{Property of ©} 

[o/ohf] 

[s © {wait e-)- w} © {tr (->• ()}/s] 

[{z \ z e ac' A s.tr < z.tr • z ® {tr z.tr — s.tr}} / ac'] 

{Property of ©: distinct record components} 

[ 0 / ok'} 

[s© {tr (->• ()} © {wait i-> w}/s] 

[{z | z € ac' A s.tr < z.tr • z ® {tr eA z.tr — s.tr}} / ac'} 

{Substitution} 

[ 0 / ok'} 

[s © {wait eA w}/s] 

[s © {tr (->• ()}/s] 

[{z j z G ac' A s.tr < z.tr • z © {tr eA z.tr — s.tr}} / ac'} 

{Substitution} 



) [o, s © {wait i-A w}/ok', s] 

[s © {tr ()}, {z | z G ac' A s.tr < z.tr • z © {tr (->• z.tr — s.tr}}/s, ac'} 

{Substitution abbreviation} 

= [ s ® 0 r ^ ()}> {z \ z E ac' A s.tr < z.tr • z® {tr (->• z.tr — s.tr}}/s, ac'} 

{Definition of RA2} 



= RA2 (P°J 


□ 


G.2.5 Properties with respect to Designs 
Lemma L.G.2.15 RA2(P h Q) = (-. RA2(^ P) b RA2(Q)) 

Proof. 

RA2 (P b Q) 

= RA2((ofc A P) => (Q A ok')) 


{Definition of design} 
{Predicate calculus} 



G.2. RA2 


535 


= RA2(— i ok V — i P V (Q A ok')) 

= RA2(-< ok) V RA2(— i P) V RA2(Q A ok') 

= RA2(-> ok) V RA2(-i P) V (RA2(Q) A RA2 {ok!)) 
= “i ok V RA2(—i P) V (RA2(Q) A oP) 

= (ok A -n RA2(-< P)) =► (RA2(<5) A oP) 

= (-. RA2(-< P) h RA2(<5)) 


{Theorem IT. 5.2. 71} 
{Theorem IT. 5.2. 61} 
{Lemma IL.G.2.41} 
{Predicate calculus} 
{Definition of design} 


□ 


Lemma L.G.2.16 RA2(P h Q) = RA2(P h RA2(Q)) 


Proof. 


RA2(P h Q) 

= RA2((ofc A P)=>(Q A ok')) 

= RA2(— i o/j V — i P V (Q A oP)) 

= RA2(— i ok V i .P V RA2(Q A oP)) 

= RA2(-< ok V — i P V (RA2(<3) A oP)) 
= RA2((ofc AP) A (RA2(Q) A oP)) 

= RA2(P h RA2(Q)) 


{Definition of design} 
{Predicate calculus} 
{Theorems IT. 5.2. 71 and IT. G.2. 11} 
{Theorem IT. 5.2. 61 and Lemma IL.G.2.41} 
{Predicate calculus} 
{Definition of design} 


□ 


G.2.6 Properties with respect to 

Theorem T.G.2.4 RA2(P ; A RA2 (Q)) = RA2(P) ; A RA2 (Q) 


Proof. 


RA2(P ‘ A RA2(Q)) {Definition of RA2 (Lemma L.G.2.1)} 

= RA2(P ] A Q[s © {tr t—>■ ()}, {y \ y © {tr i-A s.tr ^ y.tr} e ac'}/s, ad]) 

{Definition of ] A and substitution} 

[s © {tr t—)■ ()}/s] 

[{y | y © {tr i-> s.tr ^ y.tr} e ad}/ad] 

{Variable renaming} 


= RA2 P 


Q 


ac 
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= RA2 P 


Q 


[z © {tr ()}/s] 

[{y \ y (B {t r ^ z.tr^ y.tr} G ac'}/ac'] 


ac 


{ \ 

P 

\ 

( \ 

P 

\ J 


{Definition of RA2 (Lemma L.G.2.1)} 

[z © {tr i->- ()}/s] 

[{y \ y ® {t r ^ z -tr ^ y.tr} G ac'}/ac'] 

[s © {tr ()}, {y\y@ {tr i-» s.tr ^ y.tr} G ac'}/s, ac'} 


Q 


ac 


{Substitution} 


s © {tr (->• <)}/s] 

/ \ \z © {tr i-> Q}/s] 

y © {tr i —y z.tr ^ y.tr} 


Q 

\ J L 


y 


ac 


ac 


{y \ y ® {tr i—> s.tr ^ y.tr} G ac'} 

{Property of sets, © and value of record component tr} 

[s © {tr i y {)}/s} 

[z © {tr (->■ ()}/s] 

|y y © {tr i-G s.tr ^ z.tr ^ y.tr} G ac' jy/ ac' 

{Lemma IL.G. 2.17l | 

= RA2(P) ;, 4 RA2(Q) 


/ \ 
P 

\ 


Q 


ac 


□ 


Lemma L.G.2.17 


RA2(P) ; A RA2(<5) 


/ \ 
P 

\ J 


[s © {tr f-G ()}/s] 


Q 


[(t®{tr^ ()}/s] 

[{y \ y ® {t r ^ s.tr ^ t.tr^ y.tr} G ac'}/ac'] 


ac 


Proof. 


RA2(P) ', A RA2(Q) {Definition of RA2 (Lemma L.G.2.1)} 

/ P[s © {tr ()}, {t | t © {tr s.tr ^ t.tr} G ac'}/s, ac'] \ 


iA 


\ Q[s © {tr i ^ ()}, {y \ y ® {tr s.tr ^ y.tr} G ac'}/s, ac'] J 


{Definition of ;^} 
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= P 



= P 


[s © {tr i-)- ()}, {t | t © {tr i-)- s.tr ^ t.tr} € ac'}/s, ac'] 

{{z | Q[s © {tr f-s- ()}, {y | y © {tr s.tr ^ y.tr} £ ac'}/s, ac'j^/sjj/ac 7 ] 

{Substitution} 

[s © {tr i-> ()}, {t | t © {tr i-> s.tr ^ t.tr} £ ac'}/s, ac'] 

[{z | © {tr i-)- ()}, {y | 2/ © {tr i—^ z.tr ^ y.tr} £ ac'}/s, ac']}/ac'] 

{Substitution} 

/ \ [s © {tr (-)• ()}/s] 



P 

V J 

( \ 

p 

V 

/ \ 
p 

\ 


t © {tr i-> s.tr ^ t.tr} 


(Q) 


[z © {tr i ^ ()}/s] 

[{y | y © {tr i->- z.tr ^ y.tr} £ ac'}/ac'] 


? ac 


{Property of sets} 


[s © {tr i 7 ()}/s] 



Q 


[(t © {tr i-)- s.tr ^ t.tr}) © {tr i-)- ()}/s] 

[{y | y © {tr i->- (t © {tr i->- s.tr ^ t.tr}).tr ^ y.tr} £ ac'}/ac'] 
{Property of © and record component} 

s © {tr \-7 ()}/s] 

[(tffi{tr ^ ()}/s] 

[{y | y © {tr s.tr ^ t.tr ^ y.tr} £ ad}fad] 



Q 


ac 


□ 


Lemma L.G.2.18 RA2(P) ; A true = P[s © {tr i —> ()}/s] ; A true 


Proof. 


RA2(P) \ A true {Lemma IL.G.2.11} 

= P[s © {tr (->• ()}, {y | y © {tr e-s- s.tr ^ y.tr} £ ac'}/s, ac'] ] A true 

{Definition of ] A } 

= P[s © {tr i-> ()}, {y | y © {tr s.tr ^ y.tr} £ ad}/s, ac'][{s | true} / ad] 

{Substitution} 

= P[s © {tr i-> ()}, {y | y © {tr e-s- s.tr ^ y.tr} £ {s | true}}/s, ad] 

{Property of sets} 


= P[s © {tr i-> ()}, {y | true}/ s, ac'] 

{Property of substitution: ac' not free in s} 


= P[s © {tr i-> ()}/s][{y | true}/ac'] 


{Definition of ‘ )A } 
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= P[s © {tr i y ()}/s] ; A true 


□ 


G.2.7 Properties with respect to A2 

Theorem T.G.2.5 A2 o RA2 o A2 (P) = RA2 o A2(P) 


Proof. 


A2 o RA2 o A2(P) 

( Pft)/ac'][s © {tr ()}/s] 


= A2 


{Lemma IL.0.2. 1 fj| { 

\ 


V 


\ (3 y • P[{y}/ac'][s ® {tr i-> ()}/s] Ay® {tr i-> s.tr ^ y.tr} G ac') ) 


{Definition of A2 (Theorem T.4.2.11)} 


/ / P[0/oc'][s © {tr t-G ()}/s] ^ 

V 

\ (By • P[{y} / ac'][s ® {tr i-g ()}/s] Ay® {tr (->■ s.tr^ y.tr} G ac')[0/ac'] ) 


\ 


V 


3z 


( PfD/ac'}[s © {tr i-g ()}/s] 

V 

/ P[{y}/ac'][s®{tr^()}/s] \ 
By A 

V 




\{z}/ac ’] A z E ac' 




\ y® {tr (->■ s.tr ^ y.tr} G ac' ) 

{Substitution and predicate calculus} 

( P[{D/ac'][s® {tr f-G ()}/s] \ 

V 

( P[$/ac'}[s® {tr t-G ()}/s] \ 

V 

/ P[{y}/ac'] [s © {tr i-> ()}/s] \ 

A 

\ y © {tr f-G s.tr ^ y.tr} G ac' ) 


B z 


3 y 


\ 


/ 


\{z}/ac'} A z G ac' 

{Substitution} 


/ 





















G.2. RA2 


539 


( P[0/ac'][s© {tr i-G ()}/s] 

V 

( P[0/ac'][s© {tr ()}/s] 

V 

3 z* / P[{?/}/ac'][s® {^r h-)-()}/s] ^ 

3y • A 

V V \ y © {tr t-)- s.tr ^ y.tr} G {z} ) 

( P[0/ac'][s© {tr i-G ()}/s] 

V 

^ P[0/ac'][s© {tr (->• ()}/s] 

V 

3z« / P[{y}/ac'][s© {tr (->• ()}/s] ^ 

3y • A 

V \ \ y © {tr (->• s.tr ^ y.tr} = z J 


\ 


\ 


A z £ ac' 


) 


) 


{Property of sets} 

\ 




A z G ac' 


/ 


/ 


{Predicate calculus} 


( P[0/ ac'][s © {tr (->• ()}/s] \ 

V 

(3 z • P[0/ac'][s © {tr i-» ()}/s] A z E ac' 

V 

/ P[{?/}/ac'][ S ©{tr^()}/ S ] \ 

A 

3 z, y • y © {tr (->• s.tr ^ y.tr} = z 
A 

\ \ z E ac' ) 


/ P[0/ac'][s© {tr ()}/s] 
V 


{One-point rule} 


\ 


(3 z • P[0/ac'][s © {tr (->• ()}/s] A z G ac') 

V 

y (3 y • P[{y}/ac'][s © {tr (->• ()}/s] Ay© {tr i-> s.tr ^ y.tr} E ac') / 

{Predicate calculus and property of sets} 
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( PfD/ad][s © {tr i-g ()}/s] ^ 

V 

(P[0/ac'][sffi {tr (-)• ()}/s] A ad ^ 0) 

V 

\ (3 y • P[{y}/ac'][s © {tr i-A ()}/s] A y ® {tr i->- s.tr y.tr} £ ad) ) 

{Predicate calculus: absorption law} 

( P[$/ad][s ® {tr ^ 0}/s\ ^ 

V 

\ (3 y • P[{y}/ad][s © {tr (->■ ()}/s] Ay® {tr (->■ s.tr ^ y.tr} £ ad) J 

{Lemma IL.G.2.191 } 


= RA2 o A2 (P) 


□ 


Lemma L.G.2.19 
RA2 o A2(P) 

( P[(l)/ad}[s ® {tr Q}/s] ^ 

V 

\ (3 y • P[{y}/ad][s © {tr ()}/s] Ay® {tr s.tr ^ y.tr} £ ad) J 


Proof. 


RA2 o A2(P) {Definition of A2 (Theorem T.4.2.11)} 

= RA2(P[0/ac'] V (3 y • P[{y}/ad] Ay £ ad)) {Theorem IT. 5.2.71} 

= RA2(P[0/ac']) V RA2(3 y • P[{y}/ad] A y £ ad) (Lemma PL7T9} 

= RA2(P[0/oc']) V (3 y • RA2 (P[{y}/ad) A y £ ad)) {Theorem IT.5.2.61} 

= RA2(P[0/ ad}) V (3 y RA2 [P[{y}/ad]) A RA2 (y £ ad)) 

{Lemma IL.G.7.2fl } 


= P[0/ac'][sffi {tr i-g ()}/s] V (3y • P[{y}/ad][s® {tr i-g ()}/s] A RA2 (y £ ad)) 

{Lemma IL.G.7.181 } 

( Pf/)/ad][s © {tr i-g ()}/s] ^ 

= V 

\ (3 y • P[{y}/ad][s © {tr i->- ()}/s] Ay® {tr i-)- s.tr ^ y.tr} £ ad) J 


□ 
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G.3 RA3 


G.3.1 Definition 


Definition 112 


RA3(P) = Hrad <1 s.wait > P 


G.3.2 Properties 

Theorem T.5.2.12 RA3(P A Q) = RA3(P) A RA3(<2) 

Proof. 

RA3(P A Q) {Definition of RA3} 

= Hrad <1 s.wait > (P A Q) {Definition of conditional} 

= ( s.wait A ITrad) V (-< s.wait A P A Q) {Predicate calculus} 

= ( s.wait A Irad) V ((-< s.wait A P) A (-< s.wait A Q)) {Predicate calculus} 

= (( s.wait A Hrad) V (-> s.wait A P)) A (( s.wait A JTrad) V s.wait A Q)) 

{Definition of conditional} 

= (ITrad <1 s.wait > P) A (JTrad <1 s.wait > Q) {Definition of RA3} 

= RA3(P) A RA3(Q) 

□ 

Theorem T.5.2.13 RA3(P V Q) = RA3(P) V RA3(Q) 

Proof. 

RA3(P V Q) {Definition of RA3} 

= ITrad <1 s.wait >(FV Q) {Definition of conditional} 

= ( s.wait A IT rad) V (-< s.wait A (P V Q)) {Predicate calculus} 

= ( s.wait A Hrad) V (-< s.wait A P) V (-> s.wait A Q) {Predicate calculus} 

= ( s.wait A Hrad) V (-< s.wait A P) \J ( s.wait A IT rad) V (-> s.wait A Q ) 

{Definition of conditional} 

= (Hrad <1 s.wait > P) V (Hrad <1 s.wait > Q ) {Definition of RA3} 

= RA3(P) V RA3(<5) 


□ 
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Theorem T.5.2.14 Provided P and Q are RA3-healthy and Q is RA1 -healthy, 
RA3 (P ; a Q) — P ; a q 


Proof. 


P ] A Q {Assumption: P is RA3-healthy} 

= RA3(P) ] A Q {Definition of RA3} 

= rad <1 s.wait > P) ] A Q {Lemma IL.A. 1.21} 

= (if rad ; A Q ) <3 s.wait > (.P ] A Q) {Definition of JZTrad} 

= ((RAl(-< ok) V (ok' A s G ac' )) ] A Q ) < s.wait > (P ] A Q ) {Lemma IL.F. 1.41} 

= ((RAl(-< ok) ] A Q) V ((ok 1 A s E ac') , A Q)) <3 s.wait > (P ] A Q ) 

{Assumption: Q is RA1 and RA3-healthy and Lemma L.G.1.27 } 

= (RAl(-< ok) V ((of' A s £ ac') \ A Q)) < s.wait > (P ] A Q ) {Lemma IL.F.1.51} 

= (RAl(-i ok) V ((ok' ] A Q) A (s E ac' ] A Q))) < s.wait > (P ] A Q) 

{Lemma IL.F. 1.11} 

= (RAl(-< ok) V (ok' A (s E ac' ] A Q))) < s.wait > (P ] A Q) {Lemma IL.F.6.21} 

= (RAl(-i ok) V (ok' A Q)) < s.wait > (P \ A Q) 

{Assumption: Q is RA3-healthy} 

= (RAl(-< ok) V (ok! A (if rad <1 s.wait \> Q))) < s.wait \> (P ] A Q) 

{Property of conditional} 

= (RAl(-< ok) V (ok! A if rad)) <1 s.wait > (P ] A Q) {Definition of if rad} 

( RAl(-i ok) \ 

<3 s.wait \> (P ] A Q) 

{Predicate calculus} 


V 


\ (ok 1 A (RAl(-< ok) V (ok' A s E ac'))) ) 

\ 

< s.wait > (P <5) 


/ RAl(-i ofc) 

V 

(ok! A RAl(-i ok)) 


V 


\ (ofc' A s e ac') / 


/ RAl(-< ok) \ 

V 

\ (ofc 7 A s E ac') ) 


{Predicate calculus: absorption law} 


<3 s.wait > (P ] A Q) 


{Definition of if rad} 
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= Hrad <1 s.wait > (P ] A Q) {Definition of RA3} 

= RA3(P ^ Q) 


□ 


Theorem T.5.2.15 PBMH o RA3 o PBMH(P) = RA3 o PBMH(P) 

Proof. 


PBMH o RA3 o PBMH(P) 

= PBMH(JTrad <1 s.wait > PBMH(P)) 

= PBMH(JT rad ) < s.wait > PBMH o PBMH(P) 
= Hrad <1 s.wait > PBMH o PBMH(P) 

= 4T rad <1 s.wait > PBMH(P) 

= RA3 o PBMH(P) 


{Definition of RA3} 
{Lemma IL.E.4.91} 
{Theorem IT. G.3. 41} 
{Theorem IT. E.2. 11} 
{Definition of RA3} 


□ 


Theorem T.5.2.16 RA3 o RA1(P) 

Proof. 

RA1 o RA3(P) 

= RA1(IT rad < s.wait > P ) 

= RA1(IT rad ) <d s.wait > RA1(P) 

= 4^rad <1 s.wait > RA1(P) 

= RA3 o RA1(P) 


RA3 o RA1(P) 

{Definition of RA3} 
{Lemma IL.G. 1.151 } 
{Theorem IT. G.3. 11} 
{Definition of RA3} 


□ 


Theorem T.5.2.17 RA2 o RA3(P) = RA3 o RA2(P) 

Proof. 


RA2 o RA3(P) 

= RA2(IT rad < s.wait > P ) 

= RA2(IT rad ) < s.wait > RA2 (P) 
= -2Trad <1 s.wait \> RA2(P) 

= RA3 o RA2(P) 


{Definition of RA3} 


{Lemma L.G.2.6 and s.wait is RA2-healthy} 

{Theorem IT. G.3. 21} 
{Definition of RA3} 
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□ 


Theorem T.G.3.1 RAI(ITrad) — Hrad 


(Definition of Hrad} 


Proof. 

RAI(ITrad) 

= RAl(RAl(-i ok) V (ok' A s G ac ')) 

(Distributivity of RAl (Theorem T.5.2.3)} 
= RAl o RAl(-i ok) V RA^o^ A s G ac') (Lemma IL.G. 1.161 } 

= RAl o RAl(-< ok) V (ok' A RAl(s G ac')) (Lemma IL.G. 1.141 } 


= RAl o RAl(-> ok) V (ok’ A s G ac') (RAl-idempotent (Theorem T.G.1.1)} 
= RAl(-i ok) V (ok' A s G ac') (Definition of Hrad} 

= Hrad 


□ 


Theorem T.G.3.2 RA2(JTrad) — Irad 

Proof. 


RA2(ITrad) (Definition of Irad} 

= RA2((— i ok A RAl (true)) V (ok' A s G ac')) 

(Distributivity of RA2 (Theorem T.5.2.7)} 

= RA2(-< ok A RAl (true)) V RA2(ofc' A s G ac') 

(Distributivity of RA2 (Theorem T.5.2.6)} 

= (RA2(-< ok) A RA2 o RAl (true)) V (RA2(ofc') A RA2(s G ac')) 

(Lemma IL.G. 2. 41} 


= (-i ok A RA2 o RAl(true)) V (ok' A RA2(s G ac')) 

= (-i ok A RA2 o RAl(im)) V (oA;' A s G ac') 

= (-i ok A RAl o RA2(true)) V (oA:' A s G ac') 

= (-i ok A RAl(frue)) V (oft' A s G ac') 

= Irad 


(Lemma IL.G. 2.31} 
(Theorem IT. 5. 2.101 } 
(Lemma IL.G. 2. 21} 
(Definition of Irad} 


□ 


Theorem T.G.3.3 RA3(Hrad) — Irad 
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Proof. 

RA3(Hrad) {Definition of RA3} 

= JTrad < s.wait > ITrad {Property of conditonal} 

= IT RAD 


□ 

Theorem T.G.3.4 PBMH(ITrad) = Irad 

Proof. 


PBMH( JTrad) {Definition of JTrad} 

= PBMH((-i ok A 3 z • s.tr < z.tr Az£ ac ') V (ok' A s E ac ')) 

{Distributivity of PBMH} 


( PBMH(-i ok A3 z • s.tr < z.tr A z E ac') ^ 
v 

PBMHKAs6«c') / 

/ (-1 ok A PBMH(3 z • s.tr < z.tr A z E ac')) ^ 
= V 

\ (otf A PBMH(s G ac')) / 

/ (-i ofc A sir < z.tr A z E ac') \ 

= V 

^ (ok? A s E ac') J 

= H RAD 


{Lemma IL.E.4.81} 


{Lemma IL.E.4.71} 


{Definition of JTrad} 


□ 

Theorem T.G.3.5 RA3 o RA3(P) = RA3(P) 

Proof. 

RA3 o RA3(P) {Definition of RA3} 

= JTrad <1 s.wait > RA3(P) {Definition of RA3} 

= JTrad < s.wait > (JTrad <3 s.wait > P) {Defiition of conditional} 

= ( s.wait A IT rad) V (-< s.wait A (JTrad <3 s.wait > P)) 

{Property of conditional} 

= ( s.wait A TTrad) V (-< s.wait A P) {Defiition of conditional} 
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= 4Trad <1 s.wait \> P {Definition of RA3} 

= RA3(P) 


□ 


Theorem T.G.3.6 P C Q =*► RA3(P) C RA3(Q) 

Proof. 


RA3 (Q) 

= RA3(<5 A P ) 

= RA3(Q) A RA3(P) 
□ RA3(P) 


{Assumption: PE Q = [Q ^ P]j 
{Theorem IT. 5. 2.12l | 
{Predicate calculus} 


B 


Properties with respect to PBMH 

Theorem T.G.3.7 PBMH o RA3(P) = RA3 o PBMH(P) 

Proof. 


PBMH o RA3(P) 

= PBMH(ITrad <1 s.wait t> P) 

= PBMH(ITrad) <1 s.wait > PBMH(P) 
= E rad <1 s.wait > PBMH(P) 

= RA3 o PBMH(P) 


{Definition of RA3} 
{Lemma IL.E.4.91} 
{Theorem IT.G.3.41 } 
{Dehnition of RA3} 


□ 


Properties with respect to A2 

Theorem T.G.3.8 A2 o RA3(P) = RA3 o A2 (P) 

Proof. 

{Definition of RA3} 
{Lemma IL.C.1.201 } 
{Lemma IL.G.3.11} 
{Dehnition of RA3} 


A2 o RA3(P) 

= A2( H rad <1 s.wait > P ) 

= A2(JTrad) <1 s.wait \> A2 (P) 
= E rad <1 s.wait > A2(P) 
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= RA3 o A2(P) 


m 


Theorem T.G.3.9 A2 o RA3 o A2 (P) = RA3 o A2 (P) 

Proof. 


RA3 o A2 (P) 

= RA3 o A2 o A2(P) 

= A2 o RA3 o A2(P) 

Lemma L.G.3.1 A2 (ITrad) = TTrad 

Proof. 

A2(IT rad ) 

= A2(RAl(-< ok) V (ok 1 A s E ac')) 

= A2 o RAl(-i ok) V A2 (ok 1 A s G ac') 

= RAl(-> ok) V A2 (ok' A s G ac') 

= RAl(-< ok) V (ok' A A2(s G ac')) 

= RAl(-i ok) V (ok 1 A s G ac')) 

= T^rad 


{Theorem IT. 4.2. 121 } 
{Theorem IT. G.3. 81} 

□ 


{Definition of JTrad} 
{Theorem IT. 4.2. 141 } 

{Lemma IL.C. 1.161 and Theorem IT. G. 1.71} 

{Lemma IL.G. 1.151 } 
{Lemma IL.G.1. 217 } 
{Definition of Hrad} 

:p 


G.3.3 Substitution Lemmas 
Lemma L.5.2.1 RA3(P) = RA3(P/) 

Proof. 

RA3(P) {Definition of RA3} 

= (TTrad <1 s.wait > P) {Definition of conditional and predicate calculus} 

= (TTrad <1 s.wait > (-i s.wait A P)) {Predicate calculus} 

= (71rad <1 s.wait > (s.wait = false A P)) {Lemma IL.C. 1.61} 


















548 


APPENDIX G. REACTIVE ANGELIC DESIGNS (RADj 


= (JTrad <1 s.wait > ( s.wait = false A P[s © {wait H > false}/s])) 

{Definition of conditional and predicate calculus} 

= (4Trad <1 s.wait > P[s © {wait i—> false}/s]) {Definition of RA3} 

= RA3(P[s © {wait H- false} / s]) {Substitution abbreviation} 

= RA3(P / ) 

□ 

Lemma L.G.3.2 RA3(P)} = Pf 

Proof. 

RA3 {P)° f {Lemma iLGlOl} 

= (JTrad)/ <1 false t> Pf {Property of conditional} 


□ 


Lemma L.G.3.3 RA3(P)° = (H RAD )° < w > P° w 

Proof. 


RA3 (P)° w {Definition of RA3} 

= (Arad <1 s.wait > P)° w {Substitution abbreviation} 

= Arad <1 s.wait > P)[o, s © {wait H > w}/ok', s] {Substitution} 

= Arad[<A s © {wait (->• w}/ok', s] <3 (s © {wait (->• w}).wait > P[o, s © {wait i—> w}/ok!, 

{Value of record component} 

= Arad A s © {wait (->• w}/ok', s] <3 w > P[o, s © {wait (->■ w}/ok', s]) 

{Substitution abbreviation} 


= A 


RAD 


)l < w > K 


n 


G.4 RA 


G.4.1 Definition 


Definition 113 


RA(P) = RA1 o RA2 o RA3(P) 
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Theorem T.5.2.20 RAD(P) = RA o A(-> Pj b Pj ) 
Proof. 


RAD (P) 

= RA3 o RA2 o RAl o CSPA1 o CSPA2 o PBMH(P) 
= RA3 o RA2 o RAl o HI o CSPA2 o PBMH(P) 

= RA3 o RA2 o RAl o HI o H2 o PBMH(P) 

= RA3 o RA2 o RAl o AO o HI o H2 o PBMH(P) 


{Definition of RAD} 
{Theorem IT. G.5. 31} 
{CSPA2 is H2} 
{Theorem IT. 5.2. 11} 


{Theorems IT. E.6. II and IT. E.6. 21} 


= RA3o RA2o RAl 
= RA3o RA2o RAl 
= RA3o RA2o RAl 


AO o PBMH o HI o H2(P) {Definition of design} 
AO o PBMH(-i P f b P l ) {Definition of A} 

A(-i P f b P l ) 


{Theorems T.5.2.10 T.5.2.17 and T.5.2.16} 


= RAl o RA2 o RA3 o A(-> P^ b P l ) {Lemmas IL .C. 1. 5l and lD5.2.11} 

= RAl o RA2 o RA3 o A((-> P* b P f )f) {Substitution} 

= RAl o RA2 o RA3 o A(-> Pj b Pj) {Definition of RA} 

= RA o A(-. P f f b Pj) 


□ 


Theorem T.5.2.21 Provided P is RAD -healthy, PBMH(P) = P. 


Proof. 

PBMH (P) 

= PBMH o RAP(P) 

= PBMH o RA o A(-. Pj b Pj) 

= PBMH o RA o PBMH(-i Pj b Pj) 
= RA o PBMH(n Pj b Pj) 

= RA o A(-< Pj b Pj) 

= RAP (P) 

= P 


{Assumption: P is RAP-healthy} 
{Definition of RAP} 
{Theorem IT. G. 1.61} 
{Theorem IT. G.4.41 1 
{Theorem IT. G. 1.61} 
{Definition of RAP} 
{Assumption: P is RAP-healthy} 


□ 


Lemma L.5.2.2 RAD(P) = RA(-> PBMH (P) f f b PBMH(P)}) 
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Proof. 

RAD (P) 

= RA o A(-i Pj h P}) 

= RA o PBMH(-< Pj h Pj) 

= RA(^ PBMH(Pj) h PBMH(Pj)) 
= RA(^ PBMH(P)| h PBMH(P)f) 


Theorem T.G.4.1 RA(P A Q) = RA(P) A RA(Q) 


Proof. 

RA (P A Q) 

= RA1 o RA2 o RA3(P A Q) 

= RA1 o RA2(RA3(P) A RA3(<2)) 

= RA1(RA2 o RA3(P) A RA2 o RA3(Q)) 

= RA1 o RA2 o RA3(P) A RA1 o RA2 o RA3(Q) 

= RA(P) A RA(<5) 


Theorem T.G.4.2 RA(P V Q) = RA (P) V RA(Q) 


Proof. 

RA (P V Q) 

= RA1 o RA2 o RA3(P V Q) 

= RA1 o RA2(RA3(P) V RA3(<5)) 

= RA1(RA2 o RA3(P) V RA2 o RA3(<5)) 

= RA1 o RA2 o RA3(P) V RA1 o RA2 o RA3(Q) 

= RA(P) V RA(<5) 


{Theorem IT. 5.2.201 } 
{Theorem IT. G. 1.61} 
{PBMH is Al} 
{Lemma IL.E.5.11} 

□ 


{Definition of RA} 
{Theorem IT. 5.2. 121 } 
{Theorem IT. 5.2. 61} 
{Theorem IT. 5.2. 21} 
{Definition of RA} 


{Definition of RA} 
{Theorem IT. 5.2. 131 } 
{Theorem IT. 5.2.71} 
{Theorem IT. 5.2. 31} 
{Definition of RA} 

a 


Theorem T.G.4.3 RA o RA(P) = RA(P) 
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Proof. 


RA o RA(P) 

{Definition of RA} 

= RA3 o RA2 o RAl o RA3 o RA2 o RA1(P) 

{Theorem IT. 5.2. 101} 

= RA3 o RA2 o RAl o RA3 o RAl o RA2(P) 

{Theorem IT. 5.2. 161} 

= RA3 o RA2 o RAl o RAl o RA3 o RA2(P) 

{Theorem IT. G.1.11} 

= RA3 o RA2 o RAl o RA3 o RA2(P) 

{Theorem IT. 5.2. 171} 

= RA2 o RA3 o RAl o RA3 o RA2(P) 

{ Theorem IT . 5.2.1 61} 

= RA2 o RAl o RA3 o RA3 o RA2(P) 

{Theorem IT. G. 3. 51} 

= RA2 o RAl o RA3 o RA2(P) 

{Theorem IT. 5.2. 161} 

= RA2 o RA3 o RAl o RA2(P) 

{Theorem IT. 5.2. 171} 

= RA3 o RA2 o RAl o RA2(P) 

{Theorem IT. 5.2. 101} 

= RA3 o RAl o RA2 o RA2(P) 

{Theorem IT. G. 2.11} 

= RA3 o RAl o RA2(P) 

{ Theorem IT. 5.2.1 01} 

= RA3 o RA2 o RA1(P) 

{Definition of RA} 

= RA(P) 





Theorem T.G.4.4 Provided P is PBMH -healthy, 
PBMH o RA(P) = RA(P) 


Proof. 


RA(P) {Definition of RA} 

= RA3 o RA2 o RA1(P) 


{Assumption: P is PBMH-healthy and Theorem T.5.2.5} 


= RA3 o RA2 o PBMH o RA1(P) {Tlieorem IT . 5 .2. lH } 

= RA3 o PBMH o RA2 o PBMH o RA1(P) {Theorem IT. 5. 2.151 } 

= PBMH o RA3 o PBMH o RA2 o PBMH o RA1(P) {Theorem IT. 5. 2.111 1 

= PBMH o RA3 o RA2 o PBMH o RA1(P) 


{Assumption: P is PBMH-healthy and Theorem T.5.2.5} 


= PBMH o RA3 o RA2 o RA1(P) {Definition of RA} 

= PBMH o RA(P) 
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□ 


Theorem T.G.4.5 

RA o A(-< (RA o A(-< Pj h P})) f f h (RA o A(-. P f f h Pj)))) 
RA o A(-< Pj b Pj) 

Proof. 

RA o A(-i (RA o A(-< P f f h Pj))j h (RA o A(-- P f f h Pj))j) 


= RA o A 


(Lemmas IL.G.4.81 and IL.G.4.91} 

/ RA2 o RA1 o PBMH(n ok V P f f ) \ 

h 

\ RA2 O RA1 O PBMH(-< ok VPjv Pj) / 


= RA o A 


(Definition of design} 

/ (ok A -i RA2 o RA1 o PBMH(- 1 ofc V Pj)) \ 

\ (RA2 o RA1 o PBMH(-< ok V Pj V Pj) A oP) / 


= RA o PBMH 


(Theorem IT. G. 1.61} 

/ (ofc A -i RA2 o RA1 o PBMH(-i ok V Pj)) \ 

\ (RA2 o RA1 o PBMH(-i ofVP{v Pj) A oP) / 


= RA o PBMH 


= RA o PBMH 


(Predicate calculus} 

/ (-. ok V RA2 o RA1 o PBMH(-> ok V Pj)) \ 

V 

\ (RA2 o RA1 o PBMH(-< ok V P f f V Pj) A oP) / 

(Lemma IL.G.2.41 and Theorem IT. 5.2. 61} 

/ (-. ok V RA2 o RA1 o PBMH(-> ok V Pj)) \ 

V 

\ RA2(RA1 O PBMH(-i ofc V Pj V Pj) A oP) / 

(Lemma IL .G. 1.16l and Theorem IT. 5.2. 21} 
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( (-. ok V RA2 o RA1 o PBMH(-i ok V P/)) \ 


= RA o PBMH 


V 


\ RA2 o RAl(PBMH(-i ok V Pj V Pj) A oP) / 


{Lemma IL.E.4.81} 


ok V RA2 o RA1 o PBMH(-> ok V P()) \ 


= RA o PBMH V 


RA2 o RAl o PBMH((-> ok V P f f V Pi) A oP) / 


/ RA o PBMH(-i ofc) 


f y 1 

{Theorems IT. E.2. 21 and IT. G.4. 21} 

\ 


V 


RA o PBMH o RA2 o RAl o PBMH(n ok V P() 


V 


\ RA o PBMH o RA2 o RAl o PBMH((^ ok V P f f V Pj) A ok') 

{Theorems IT. 5.2. 51 and IT. 5.2. Ill } 
/ RA o PBMH(-i ok) \ 


V 


RA o RA2 o RAl o PBMH(-i ok V Pf) 


V 


\ RA o RA2 o RAl o PBMH((^ ok V P f f V Pj) A ok') ) 


/ RA o PBMH(-> oifc) 


{Definition of RA} 

\ 


V 

RA3 o RA2 o RAl o RA2 o RAl o PBMHfn ok V P 


V 


\ RA3 o RA2 o RAl o RA2 o RAl o PBMH((-i ok V Pj V Pj) A ok') ) 

{Theorem IT. 5.2.101 } 

/ RA o PBMH(-> ok) \ 

V 

RA3 o RA2 o RA2 o RAl o RAl o PBMH(n ok V Pj) 

V 

\ RA3 o RA2 o RA2 o RAl o RAl o PBMH((-> ok V Pj V Pj) A ok') ) 

{Theorems IT. G. 1.11 and IT. G.2. 11} 
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/RAo PBMH(n ok) 

V 

RA3 o RA2 o RAl o PBMHfn ok V P 


V 


\ RA3 o RA2 o RAl o PBMH((-i ok V Pj V Pj) A ok') ) 


{Definition of RA} 


/RAo PBMH(-> ok) 

V 

RA o PBMHfn ok V P: 


\ 


V 


\ RA o PBMH((-i ok VPfv Pj) A ok') ) 


( °k) 

V 


= RA o PBMH 


\ 


ok V Pj) 


V 


\ ((-i ok V Pj V Pj) A oP) / 


{Theorems IT. E.2. 21 and IT. G.4. 21} 


{Predicate calculus} 


= RA o PBMH 


\ 


/ ok VV Pj 
V 

^ (-i ok A oA/) V (Pj A oP) V (Pj A oP) / 

{Predicate calculus: absorption law} 

RA o PBMH(-i ok V Pj V (Pj A oP)) {Predicate calculus} 

RA o PBMH((oA; A -> Pj) =>• (Pj A oP)) {Definition of design} 

lf u {Theorem IT. G. 1.61 1 


= RA o PBMH(-i Pj b P f) 


RA o A(-i Pj b Pj) 


□ 


Lemma L.G.4.1 

RAl o RA3(P b Q) 


RAl((trae < s.wait > P) b (s e ac' < s.wait > Q)) 
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Proof. 

RA1 o RA3(P b Q) {Definition of design} 

= RA1 o RA3(((ofc A P) => (Q A ok'))) {Predicate calculus} 

= RA1 o RA3((-i ok V -> P V (Q A ok'))) {Theorem IT.5.2.131 } 

= RAl(RA3(i ok) V RA3(-i P) V RA3(Q A ok')) {Theorem IT .5.2. 31 } 

= RA1 o RA3(-i ok) V RA1 o RA3(-> P) V RA1 o RA3(Q A ok')) 

{Lemma IL.G.4.21} 

^ RAl(-i ok) V ( s.wait A TT rad) V RA1 o RA3(-> P) ^ 

= V 

\ RA1 o RA3(Q A ok')) ) 

{Lemma IL.G.4.51} 

/ RAl(-i ok) V ( s.wait A IT rad) V (JTrad <1 s.wait \> RAl(-> P)) ^ 

= V 

\ (TTrad < s.wait > RA1(Q A ok')) ) 

{Lemma IL.G. 1.161 } 

/ RAl(-i ok) V ( s.wait A JTrad) V (JTrad <1 s.wait t> RAl(-> P)) ^ 

= V 

V (JTrad <1 s.wait t> RA1(Q) A ok') ) 

{Dehnition of conditional and predicate calculus} 

( RAl(-i ok) V (s .wait A TTrad ) V (-i s.wait A RAl(-i P)) \ 
v 

(-■ s.wait A RA1(<5) A ok') ) 

{Dehnition of TTrad and predicate calculus} 

( RAl(-i ok) V ( s.wait A RAl(-i ok)) V ( s.wait A s G ac' A o/j') 

= V 

^ (-■ s.wait A RAl(-i P)) V (-> s.wait A RA1(<5) A ok') ) 

{Predicate calculus: absorption law} 

( RAl(-i ok) V ( s.wait A s G ac' A ok') \ 

= V 

\ (-i s.wait A RAl(-t P)) V (-> s.wait A RA1(<5) A o/d) ) 


{Predicate calculus} 
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/ RAl(-> ok) V (-1 s.wait A RAl(-> P)) 


\ 


V 


\ (( s.wait A s G ad) V (-< s.wait A RA1(<5)) A ok') / 


{Definition of conditional} 


/ RAl(-i ok) V ( false <3 s.wait > RAl(-i P)) \ 


V 




\ ((s G ad < s.wait > RA1(Q)) A ok') 

{Lemmas IL.G.1.91 and IL.G. 1.141 } 
( RAl(-< ok) V (RA1 (false) <3 s.wait t> RAl(-i P)) ^ 

{Lemma IL.G. 1.151 } 


V 


\ ((RAl(s G ad) <3 s.wait t> RA1(Q)) A ok') 
/ RAl(-i ok) V RA1 (false <3 s.wait > -> P) \ 


/ 


V 


V (RAl(s G ad <3 s.wait > Q) A ok') / 

/ RAl(-< ofc) V RAl(/a/se <3 s.wait >-iP) \ 


V 


{Lemma IL.G.1.161 } 


{Theorem IT. 5.2. 31} 




\ RAl((s G ad <3 s.wait > Q) A oA:') 

= RAl(-< ofc V (false < s.wait > -> P) V ((s G ac' < s.wait > Q) A oA/)) 

{Predicate calculus} 

= RAl((ofc A -i (false <3 s.wait > -> P)) =>■ ((s G ac' <3 s.wait > Q) A ofc')) 

{Lemma IL.A.1.51} 

= RAl((ofc A (true < s.wait > P)) =>■ ((s G ac' <3 s.wait > Q) A o&')) 

{Definition of design} 

= RAl((irue < s.wait > P) h (s G ac' <3 s.wait > <5)) 


□ 


Lemma L.G.4.2 

RA1 o RA3(-i ofc) = RAl(-< ofc) V (s.wait A JTrad) 


Proof. 

{Definition of RA3} 
{Lemma IL.G. 1.151 } 
{Theorem IT. G.3. 11} 


RA1 o RA3(-i ok) 

= RA1(ITrad <1 s.wait > (-> oA:)) 

= RAI(ITrad) <1 s.wait > RAl(-i ok) 
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= JTrad <1 s.wait > RAl(-< oft) {Lemma IL.G.4.31} 

= (RAl(-< ok) V (ok' A s G ac')) <\ s.wait t> RAl(n ok) 

{Definition of conditional} 

= ( s.wait A RAl(-> ok)) V ( s.wait A ok' A s G ac') V (-> s.wait A RAl(-> oft)) 

{Predicate calculus} 

= RAl(-i oft) V (s.wait A oft' A s G ac') {Predicate calculus: absorption law} 

= RAl(-> oft) V (s .wait A RAl(-i oft)) V (s.wait A oft' A s G ac') 

{Predicate calculus} 

= RAl(-< oft) V (s.wait A (RAl(-< oft) V (oft' A s G ac'))) {Lemma IL.G.4.31 } 
= RAl(-< oft) V (s.wait A JTrad) 

n 


Lemma L.G.4.3 TTr A d = RAl(n oft) V (oft' A s G ac') 


Proof. 

JTrad {Definition of JTrad} 

= (-1 ok A RAl(fnie)) V (oft' A s G ac') {Lemma IL.G. 1.171 } 

= RAl(-t oft) V (oft' A s G ac') 


□ 


Lemma L.G.4.4 

RA1 o RA3(P) = (s.wait A JTrad) V RA1 o RA3(P) 


Proof. 


RA1 o RA3(P) {Definition of RA3} 

= RA1(TTrad <1 s.wait > P) {Definition of conditional and predicate calculus} 
= RAl((s.wazT A JTrad) V (JTrad <1 s.wait \> P)) 

= TLAl(s.wait A JTrad) V RA1(TTr A d <1 s.wait > P) 

= (s.wait A RAI(JTrad)) V RA1(TTr A d <1 s.wait > P) 

= (s.wait A JTrad) V RA1(JTr A d <1 s.wait > P) 

= (s.wait A JTrad) V RAl o RA3(P) 


{Theorem IT. 5.2. 31} 
{Lemma IL.G. 1.161 } 
{Theorem IT. G.3. 11} 
{Definition of RA3} 
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□ 


Lemma L.G.4.5 RAl o RA3(P) = JTrad <3 s.wait > RAl (P) 


Proof. 


RAl o RA3(P) (Definition of RA3} 

= RA1(IT rad <3 s.wait > P) {Lemma IL.G. 1.151 } 

= RAl (IT RAD ) <3 s.wait > RA1(P) (Theorem IT.G.3.H } 

= If rad <1 s.wait > RA1(P) 

□ 

Lemma L.G.4.6 RA(F)) = RA2 o RAl (Pf) 

Proof. 

RA(P) / ° 

= (RA3 o RA2 o RAl(P))j? 

= (RA2 o RAl(P))y 
= RA2 o (RA1(P)); 

= RA2 o RA1(P/) 

a 


(Definition of RA} 
(Lemma IL.G.3.21} 
(Lemma IL.G. 2. 141 } 
(Lemma IL.G.1.241 } 


Lemma L.G.4.7 

(RA o A(-< P> b P‘))l 


RA2 o RAl o PBMH(-i ok\J P/ V (Pj A o)) 


Proof. 

(RA o Ah P} b Pj)): 

= (RA O PBMH(-i P f f h P}))° w 
= RA2 o RAl o (PBMH(n P f f h P}))° w 
= RA2 o RAl o PBMH(-> Pj h Pj)“ 

= RA2 o RAl o PBMH((ofc A -> Pj) =>■ 


(Theorem IT. G. 1.61} 
(Lemma IL.G. 4. 61} 
(Lemma IL.E.5.11} 
(Definition of design} 
(Pj A ok'))° w {Substitution} 
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= RA2 o RA1 o PBMH((ofc A - (Pj)° w ) => ((Pj)° w A o)) 

{Substitution: ok' not free and property of ©} 

= RA2 o RA1 o PBMH((oi A -> Pj) =>■ (Pj A o)) {Predicate calculus} 

= RA2 o RA1 o PBMH(-i ok VPjv (Pj A o)) 


□ 


Lemma L.G.4.8 

(RA o A(-i P f f h Pj)) f f 

RA2 o RA1 o PBMH(-i ok V P f f ) 


Proof. 

(RA o A(-i Pj h P}))f {Lemma mCL4~7j } 

= RA2 o RA1 o PBMH(-i ok V Pj V (Pj A false)) {Predicate calculus} 

= RA2 o RA1 o PBMH(-i ok V P f f ) 


m 


Lemma L.G.4.9 

(RA o A(-< P f f h P}))} 

RA2 o RA1 o PBMH(n ok V Pj V Pf) 


Proof. 

(RA o A(-. Pj b Pj))} {Lenima IL.G.4.71} 

= RA2 o RA1 o PBMH(-i ok V Pj V ( Pj A true)) {Predicate calculus} 

= RA2 o RA1 o PBMH(-i ok V Pj V Pj) 


□ 


Lemma L.G.4.10 


3 ac' • RAl o RA2 o PBMH(P) = 3 ac' • RA2 o PBMH(P) 
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Proof. 


3 ad • RAl o RA2 o PBMH(P) (Theorems IT .5.2 .51 and IT! 5.2.11 1} 

= 3 ad • PBMH o RAl o RA2 o PBMH(P) (Lemma lEEXTBH 

= PBMH o RAl o RA2 o PBMH(P) true 


(Theorems IT. 5.2. 51 and IT. 5.2. Ill } 
(Lemma IL.G. 1.331 } 


= RAl o RA2 o PBMH(P) j A true 

= (RA2 o PBMH(P) A RAl (true)) ;_4 true 

(Distributivity of ] A (Lemma L.F.1.5)} 

= (RA2 o PBMH(P) ; A true) A (RAl (true) ; A true) 

(Lemma |L.G. 1.25 and predicate calculus} 

= (RA2 o PBMH(P) ; A true) (Theorem IT. 5.2. Ill } 

= PBMH o RA2 o PBMH(P) \ A true {Lemma lL.E.4.16l } 

= 3 ad • PBMH o RA2 o PBMH(P) (Theorem IT .5.2. lH } 

= 3 ad • RA2 o PBMH(P) 


□ 


Lemma L.G.4.11 

RA o A(-i RA2 o PBMH(P) h RA2 o PBMH(Q)) 

RA o A(-< P h Q) 


Proof. 


RA o A(-i RA2 o PBMH(P) h RA2 o PBMH(Q)) (Theorem ITTTTol } 

= RA o PBMH(-i RA2 o PBMH(P) h RA2 o PBMH(<5)) 

(Lemma IL.4.2.21} 

= RA(^ PBMH o RA2 o PBMH(P) h PBMHRA2 o PBMH(Q)) 

(Theorem IT. 5.2. Ill } 

= RA(^ RA2 o PBMH(P) h RA2 o PBMH(Q)) 

(Dehnition of RA and Lemma fL. G.2.1 51 } 

= RA(^ PBMH(P) h PBMH(Q)) (LemmaEH 

= RA o PBMH(-i P d Q) (Theorem IT.G. 1.61 1 
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= RA o A(-. P h Q) 


m 


Lemma L.G.4.12 

RA o A(-i RA2 o PBMH(P) h Q) 

RA o A(-< P h Q) 


Proof. 


RA o A(-i RA2 o PBMH(P) h Q) {Theorem IT. G. 1.61} 

= RA o PBMH(n RA2 o PBMH(P) h Q) {Lemma EH 

= RA(A PBMH o RA2 o PBMH(P) h PBMH( Q)) {Theorem IT.5.2.lil t 

= RA(^ RA2 o PBMH(P) h PBMH(Q)) 

{Definition of RA and Lemma [L .G.2.1 51 } 

= RA(^ PBMH(P) h PBMH(g)) {Lemma IL.4.2.21} 

= RA o PBMH(n P h Q) {Theorem IT. G. 1.61 } 

= RA o A(-< P h Q) 


□ 


Lemma L.G.4.13 

RA o A (P h RA2 o PBMH(Q)) 

RA o A (P h Q) 


Proof. 

RA o A(P h RA2 o PBMH(Q)) {Theorem EGLU} 

= RA o PBMH(P h RA2 o PBMH(Q)) {Lemma EU } 

= RA(^ PBMH(-i P) h PBMH o RA2 o PBMH(Q)) {Theorem IT.5.2. 11 1} 

= RA(^ PBMH(-i P) h RA2 o PBMH(Q)) 

{Definition of RA and Lemma fL .G.2.151 } 

= RA(^ PBMH(-i P) h PBMH( Q)) {LemmaEMJ} 
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= RA o PBMH(P h Q) 


□ 


Lemma L.G.4.14 

RA o A (P h RA1 o PBMH(Q)) 

RA o A (P h Q) 


Proof. 

RA o A(P h RA1 o PBMH(Q)) {Theorem [TXTTGl I 

= RA o PBMH(P h RAl o PBMH(Q)) (Lemma ILAT21 } 

= RA(^ PBMH(n P ) h PBMH o RAl o PBMH(g)) {Theorem ITX23K 

= RA(^ PBMH(h P) h RAl o PBMH(Q)) 

{Definition of RA and Lemma [L. G. 1. 201 } 

= RA(^ PBMH(h P) h PBMH( Q)) (Loiinia OH 

= RA o PBMH(P h Q) {Theorem IT.C. I .(il l 

= RA o A (P h Q) 


□ 


Lemma L.G.4.15 

RA o A(-i RAl o PBMH(P) h Q) 

RA o A(-< PL Q) 


Proof. 


RA o A(-i RAl o PBMH(P) h Q) {Theorem IT. G. 1.61} 

= RA o PBMH(-i RAl o PBMH(P) h Q) {Lemma |0"2j} 

= RA(^ PBMH o RAl o PBMH(P) h PBMH(Q)) {Theorem ITATSK 

= RA(^ RAl o PBMH(P) h PBMH(Q)) 

{Definition of RA and Lemma [L .G. 1. 231 } 

= RA(^ PBMH(P) h PBMH(Q)) {Lemma|LA2j} 
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= RA o PBMH(n p h Q) {Theorem IT.G.1.61} 

= RA o A(-. P h Q) 


□ 


G.4.2 Properties with respect to A2 
Theorem T.G.4.6 RA o A o A2 (P) = A2 o RA o A o A2(P) 

Proof. 


RA o A o A2 (P) 

{Theorem IT.G.1.61} 

= RA o PBMH o A2(P) 

{Lemma IL. G. 1. 261} 

= RA o A2(P) 

{Definition of RA} 

= RA3 o RA2 o RAl o A2 (P) 

{Theorem IT.G.1.71} 

= RA3 o RA2 o A2 o RAl o A2(P) 

{Theorem lT.G.2.51} 

= RA3 o A2 o RA2 o A2 o RAl o A2 (P) 

{Theorem IT. G.3. 91} 

= A2 o RA3 o A2 o RA2 o A2 o RAl o A2(P) 

{Theorem IT. G.2. 51} 

= A2 o RA3 o RA2 o A2 o RAl o A2 (P) 

{Theorem IT.G.L7I} 

= A2 o RA3 o RA2 o RAl o A2(P) 

{Definition of RA} 

= A2 o RA o A2(P) 

{Lemma IL.G. 1.261} 

= A2 o RA o PBMH o A2 (P) 

{Theorem lT.G.1.61} 

= A2 o RA o A o A2(P) 



□ 


Theorem T.G.4.7 Provided P is A2 -healthy, 

RA o A(-< Pj h Pj) = A2 o RA o A(-> P f f h Pj) 


Proof. 

RA o A(-< Pj h Pj) 

= RA o A(-< A2 (P) f f h A2(P)}) 
= RA o A(-< A2 (Pj) h A2 (Pj)) 
= RA o A o A2(-< Pj h Pj) 

= A2 o RA o A o A2(-i Pj h Pj ) 


{Assumption: P is A2-healthy} 
{Lemma IL.C.1.221 } 
{Lemma IL.4.2.31} 
{Theorem IT. G.4. 61} 
{Lemma IL.4.2.31} 
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= A2 o RA o A(-. A2 (P f f ) h A2 (Pj)) {Lemma IL.C.1.221 } 

= A2 o RA o A(-i A2 (P)j h A2 (P)j) {Assumption: P is A2-healthy} 

= A2 o RA o A(-. P f f h Pj) 


□ 


Lemma L.G.4.16 

RA o A(-i A2 (P) h A2(Q)) 

A2 o RA o A(-i A2 (P) h A2(Q)) 


Proof. 

RA o A(-< A2(P) h A2(Q)) {Lemma IL. 4.2. 31 and Theorem IT. G.4. 61 } 

= A2 o RA o A(-< A2(P) h A2(Q)) 


□ 


G.5 CSPA1 

Lemma L.G.5.1 CSPAl(P) = P V (-i ok A 3 z • s.tr < z.tr A zG ac') 

Proof. 

CSPAl(P) {Definition of CSPA1} 

= FV RAl(-> ok) {Lemma IL.G. 1.171 } 

= P V (-i ok A RAl(t rue)) {Lemma IL.G.l.lOl } 

= FV (-i ok A 3 z • s.tr < z.tr A z E ad) 


□ 


G.5.1 Properties 

Theorem T.5.2.18 CSPA1 o RA1(P) = RA1 o H1(P) 

Proof. 


CSPA1 o RA1(P) 


{Definition of CSPA1} 
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= RA1(P) V RAl(-i ok) 
= RA1 (P V ok) 

= RAl(ofc =>• P) 

= RAl o H1(P) 


{Theorem IT. 5.2. 31} 
{Predicate calculus} 
{Definition of HI} 


□ 


Theorem T.5.2.19 Provided P is PBMH -healthy, 
PBMH o CSPAl(P) = CSPAl(P) 


Proof. 


PBMH o CSPAl(P) {Definition of CSPA1} 

= PBMH(P V (RA1(-. ok))) {Distributivity of PBMH} 

= PBMH(P) V PBMH o RAl(-< ok) {Lemma IPiXfil } 

= PBMH(P) V PBMH o RAl o PBMH(n ok) 


{-i ok is PBMH-healthy and Theorem T.5.2.5} 


= PBMH(P) V RAl o PBMH(-> ok) {Lemma IL.E.4.61} 

= PBMH(P) V RAl(-i ok) {Assumption: P is PBMH-healthy} 

= P V RAl(-< ok) {Definition of CSPA1} 

= CSPAl(P) 


□ 


Theorem T.G.5.1 CSPA1 o CSPAl(P) = CSPAl(P) 

Proof. 

CSPA1 o CSPAl(P) {Definition of CSPA1} 

= CSPA1 (P V (-. ok A RAl(trae))) {Definition of CSPA1} 

= (P V (-i ok A RAl (true))) V (-> ok A RAl (true)) {Predicate calculus} 

= P V (-i ok A RAl(tnze)) {Definition of CSPA1} 

= CSPAl(P) 


□ 


Theorem T.G.5.2 PCQ^ CSPAl(P) C CSPAl(Q) 
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Proof. 

CSPA1 (Q) {Definition of CSPA1} 

= Q V (-1 ok A RAl(frue)) {Assumption: P jZ Q = [Q =>• P]} 

= (Q A P) V (-1 ok A RAl(true)) {Predicate calculus} 

= (Q V (-i ok A RAl(true))) A (P V (-< ok A RAl(trae))) {Predicate calculus} 
=>• (P V (-i ok A RAl(irue))) {Definition of CSPA1} 

= CSPAl(P) 


□ 


Properties with respect to RA1 and HI 
Theorem T.G.5.3 RA1 o CSPAl(P) = RA1 o H1(P) 

Proof. 


RA1 o H1(P) 

= RAl(ofc =>- P) 

= RAl(-i ok V P) 

= RAl(-i ok) V RA1(P) 

= RA1 o RAl(-i ok) V RA1(P) 
= RAl(RAl(-> ok) V P) 

= RA1 o CSPAl(P) 


{Definition of HI} 
{Predicate calculus} 
{Theorem IT. 5.2. 31} 


{RAl-idempotent (Theorem T.G.1.1)} 
{Theorem IT. 5.2. 31} 
{Definition of CSPA1} 


□ 


Theorem T.G.5.4 RA1 o CSPA(P) = CSPA1 o RA1(P) 

Proof. 

RA1 o CSPAl(P) {Definition of CSPA1} 

= RA1(P V RAl(-i ok)) {Theorem IT.5.2.31 } 

= RA1(P) V RA1 o RAl(-i ok) {Theorem IT.G.l.Il f 

= RA1(P) V RAl(-i ok) {Definition of CSPA1} 

= CSPA1 o RA1(P) 


□ 
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RAD 

G.6 NDrad 

Theorem T.5.5.2 Provided P is RAD -healthy, 
ND rad (P) = RA o A (true b Pj) 


Proof. 


NDrap(P) {Assumption: P is RAP-healthy} 

= NDrap o RA o A(-< Pj b Pj) {Definition of NDrap and Choice^AP } 

= RA o A(-< Pj b Pj) U RA o A (true b true ) {Theorem IT. 5. 4.11 } 

= RA o A (true I—i Pj =>■ Pj) {Definition of design and predicate calculus} 

= RA o A (true b (ok A -> Pj] 


= RA o PBMH(irae b (ok A -> P\ 


Pj) 


Pj) 


{Theorem IT. G. 1.61} 
{Lemma IL.4.2.21} 


= RA(-> PBMH(/sfee) b PBMH((ofc A P 




{Definition of RA and Lemmas IL.G. 1.2(11 and IL.G.2.161 } 


/ -i PBMH(Jalse) 


= RA 


b 


= RA 


\ RA2 O RAl O PBMH ((ok A Pj 


( PBMH(/aise) 
b 


\ 


p‘,) / 


{Theorems IT. 5.2. 51 and IT. 5.2. Ill } 

\ 


V PBMH O RA2 O RAl o PBMH((ofc A -> Pj) =>- Pj) ) 


{Theorem IT.5.2.101 and Lemma IL.G.4.91 } 

= RA(^ PBMH(/sfee) b PBMH((RA o A(-. Pj b P}))})) 

{Assumption: P is RAP-healthy} 

{Lemma IL.4.2.21} 


= RA(P PBMH(/afee) b PBMH(P})) 
= RA o PBMH((rae b Pj) 

= RA o A (true b Pj) 


{Theorem IT. G. 1.61} 


□ 


Theorem T.5.5.3 Provided P is RAD -healthy, 
NDrad (P) = PAAVs,ac' • - Pj 
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Proof. 


P = P U Choice {Definition of Choice } 

«P = PU RA o A (true b true ) (Assumption: P is RAP-healthy} 

yy RA o A(-> Pj b Pj) = RA o A(-> Pj b Pj) U RA o A (true b true) 

{Theorem IT. 5.4. 11} 

yy RA o A(-> Pj b Pj) = RA o A(-< Pj V true b pj =$> Pj) A true =>- true) 

{Predicate calculus} 

ttRAo A(-i P f f b Pj) = RA o A (true b P f f => Pj) {Theorem IT. G. 1.61 1 

ttRAo PBMH(h P f f b Pj) = RA o PBMH(frae b P f f => Pj) 

{Definition of RA} 

\ 


\ RAl o RA3 o RA2 o PBMH(true I — i Pj =y Pj) ) 

/ RAl o RA3 o RA2(-< PBMH(Pf) b PBMH(Pl)) 


yy 


{Lemma IL.4.2.21} 
\ 


V RAl O RA3 O RA2(-< PBMU(false) b PBMH(-i P f f =y Pj)) 


{Lemma L.E.4.2 and predicate calculus} 

/ RAl o RA3 o RA2(-< PBMH(Pj) b PBMH(Pj)) \ 


yy 


\ RAl o RA3 o RA2 (true b PBMH(-i Pj =y Pj)) 

{Predicate calculus and Theorem IT .E.2. 21 } 


/ RAl o RA3 o RA2(-< PBMH(Pf) b PBMH(Pl)) 


yy 


\ 


V RAl O RA3 O RA2 (true b PBMH(Pf) =y PBMH(PD) 


/ RAl o RA3 o RA2(-< PBMH (P) f f b PBMH(P) 


yy 


{Lemma IL.E.5.11} 
\ 


\ RAl o RA3 o RA2 (true b - PBMH (P) f f =y PBMH (P)j) 


( RAl o RA3 o RA2(-< Pj b Pj 


yy 


{Assumption: P is RAP-healthy and Theorem T.5.2.21 [ 

\ 

{Lemma IL.G.2.151 } 


\ RAl o RA3 o RA2 (true I —> Pj =y Pj) ) 
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RAD 


/ RA1 o RA3(-i RA2 (Pf) b RA2 (Pj)) 






<=> 


& 






\ 


\ RA1 o RA3(-i RA2 {false) b RA2(^ P f f => Pj)) 


{Lemma, L.G.2.4 and predicate calculus} 
f RA1 o RA3(-i RA2(P/) b RA2 (Pj)) \ 

{Lemma IL.G.4.11} 


\ RA1 o RA3(lrue b RA2(-> Pj => Pj)) ) 

( RA1 (true <\ s.wait t> -< RA2 (Pj) b s G ac' <3 s.wait > RA2(Pj)) ^ 


\ RAl(true <3 s.wait > true b s G ac' <3 s.wait > RA2(-> Pj =>■ Pj)) / 

{Definition of design and predicate calculus} 


( / (-i ofc) V -i (true <3 s.wait > -> RA2(P()) \ 


RA1 


V 




^ ((s G ac' <3 s.wait > RA2(Pj)) A oP) / 
/ (-i ok) V -i (true <3 s.wait \> true) 


RA1 


\ 


V 


\ ((s G ac' <3 s.wait > RA2(-> Pj =>■ P})) A oP) / 


/ 


/ / (-i ofc) V (-i s.wait A RA2(P()) \ 


RA1 


V 


{Property of conditional} 

\ 


\ ((s G ac' <3 s.wait > RA2(P})) A oP) / 
/ (-i ofc) 


RA1 


\ 


V 


y ((s G ac' <3 s.wait > RA2(-> Pj =>■ P})) A oP) / 


/ 


^ RAl(-i ok) V RAl(-i s.wait A RA2(P/)) \ 

V 

\ RAl((s G ac' <3 s.wait > RA2(P})) A oP) / 

/ RAl(-i ok) 

V 

\ RAl((s G ac' <3 s.wait > RA2(-i Pj =>■ Pf)) A oP) / 


{Theorem IT. 5.2. 31} 

\ 


\ 


/ 


S ^ 1 i> 

{Lemmas IL.G.1.141 to IL.G. 1.161 } 
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/ / 

V 
/ 

V V 
■ / 

V 
/ 

. V 
■ / 

V 
/ 

. V 
■ / 

V 

<=>• 

/ 

. V 


RAl(-> oifc) V RAl(-i s.wait A RA2(P/)) \ 

V 

((s G ac' <3 s.wait > RAl o RA2(Pj)) A ofc') / 


\ 


RAl(-i ofc) \ 

V 


((s G ac' <3 s.wait > RAl o RA2(-> Pj => Pj )) A ok') J 




{Equality of relations} 


RAl(-i ok) V RAl(-i s.wait A RA2(Pj)) \ 
V 

((s G ac' <3 s.wait > RAl o RA2(Pj)) A oA;') / 


RAl(-i ofc) \ 

V 

((s G ac' <3 s.wait > RAl o RA2(-> Pj =>- Pj)) A ofc') / 

(Predicate calculus and Theorems IT. 5.2. 31 and IT. 5.2. 71} 

RAl(-i ofc) V RAl(-i s.wait A RA2(P/)) \ 1 

V 

((s G ac' <3 s.wait > RAl o RA2(Pj)) A ok') ) 


RAl(-i ok) \ 

V 

((s G ac' <] s.wait > (RAl o RA2(Pj) V RAl o RA2(Pj))) A ok') ) 

(Property of conditional} 

RAl(-i ok) V RAl(-i s.wait A RA2(Pj)) \ 1 

V 

((s G ac' <3 s.wait > RAl o RA2(Pj)) A ok') ) 

RAl(-i ok) \ 

V 


^ / (false <] s.wait > RAl o RA2(Pj)) ^ 

\ 


V 

A ok! 


\ \ (s G sc' <] s.wait > RAl o RA2(Pj)) ) 

) 

) 


(Property of conditional and predicate calculus} 
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/ RAl(-i ok) V RAl(-i s.wait A RA2(P{)) \ 

V 

\ ((s G ad <3 s.wait > RA1 o RA2(P})) A ok') ) 

-vA 


/ RAl(-i ofc) 
V 


\ 


{Lemma IL.A.1.81} 


(-1 s.wait A RA1 o RA2 (Pj) A ok') 

V 

^ ((s G ad <3 s.wait > RA1 o RA2(P})) A oP) / 

RAl(n ofc) V ((s G ad <3 s.wait > RA1 o RA2(P{)) A ok') 


V 


RAl(-> s.wait A RA2 (Pj)) ^ 

(-■ s.wait A RA1 o RA2(Pj) A ok') ) 


{Lemma IL.G. 1.161 } 


RAl(-> ok) V ((s G ad <3 s.wait > RA1 o RA2(Pj)) A oP) 

V 

/ (-i s.wait A RA1 o RA2(Pj)) \ 

<^> 

^ (-■ s.wait A RA1 o RA2 (Pj) A ok') ) 

{Lemma IL.A.1.71} 




RAl(n ok) V ((s G ad <3 s.wait > RA1 o RA2(Pj)) A oP) 

V 

((-i s.wait A RAl o RA2(Pj)) =>- ok') 

{Definition of universal quantification} 


-v=> V oP, ok, s, ad 


/ RAl(-i ok) \ 

V 

((s G ad <3 s.wait > RAl o RA2(P})) A oP) 

V 


Av- V ok, s, ad 


\ ((-i s.wait A RAl o RA2(Pj)) =>- oP) J 

{Case-analysis on oP and predicate calculus} 

/ RAl(-i ofc) \ 

V 

\ ((-i s.wait A RAl o RA2 (Pj)) => false) ) 


{Predicate calculus} 
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-v^> V ok, s, ad • (RAl(-< ok) V ( s.wait V -> RAl o RA2(P())) 


•vv- V s, ad 


{Case-analysis on ok and predicate calculus} 
( (RAl(/a/se) V ( s.wait V -> RAl o RA2(Pj))) \ 


A 


\ (RAl (true) V ( s.wait V -< RAl o RA2 (Pj))) ) 


{s.wait V -i RAl o RA2(P{)) \ 


{Lemma L.G.1.9 and predicate calculus} 

>/' 


•v^> V s, ad • A 


(RAl(lrae) V ( s.wait V -i RAl o RA2(P())) ) 


{Predicate calculus: absorption law} 
V s, ad • ( s.wait V -> RAl o RA2(P^)) {Predicate calculus} 

<=> V s • (-1 s.wait) (V ad • -> RAl o RA2 (Pj)) {Predicate calculus} 

<t^Vs»(3z»s = 2 ;© {wait t-A false}) =>- (V ad • -> RAl o RA2 (Pf)) 

{Predicate calculus} 


•vv-Vs, z • (s = z (B {wait (->■ false}) =>• (V ad • -> RAl o RA2 (Pj)) 

{Predicate calculus} 

z • (V ad • -1 RAl o RA2(Pj))[z © {wait t-A false} / s) {Predicate calculus} 

Vs • (V ad • -i RAl o RA2(Pj))[z © {wait (->• false}/s][s/z] 

{Property of substitution} 


V s • (V ad 

V s • (V ad 

(V ad 


-i RAl o RA2 (Pf))[s (B {wait ^ false}/s] 


{Lemmas |L. G. 1. 24] and [L . G.2. 14| and property of substitution} 


(-■ RAl o RA2(P))y)[s © {wait false}/s] 

{Substitution abbreviation} 


(-■ RAl o RA2(P)/[s © {wait i->- false}/s])[s © {wait i—> false}/s] 

{Property of substitution and ©} 


V 5 • (V ad • (-i RAl o RA2(P)/[s © {wait (->■ false}/s]) 

{Substitution abbreviation} 

V s • (V ad • (-i RAl o RA2(P))y) {Predicate calculus} 

•vv- V s, ad • (-■ RAl o RA2 (P))f 

{Assumption: P is RAP-healthy, hence RAl and RA2-hcalthy} 

•vv- V s, ad • (-i P)f {Property of substitution} 

V s, ad • -> Pj 


□ 
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Theorem T.5.5.1 NDrad ° NDrad(-P) = NDrad(T’) 


Proof. 


NDrap o NDrap(L) 

{Definition of NDrap} 

= NDrap(P) U ChoicejiAP 

{Definition of NDrap} 

= P U Choice rap U Choice rap 

{Predicate calculus} 

— P U Choice ^ap 

{Definition of NDrap} 

= NDrap (P) 



□ 


Theorem T.G.6.1 Provided P and Q are reactive angelic designs and NDrad- 
healthy, 

P >T>ac Q 


t 


true 


RA o A 


h 


\ 


\ RAl(Pj) ; A (s G ac! < s.wait > RA2 o RAl(Qj)) / 


Proof. 


P ; 


I'Dac 


Q 


{Assumption: P and 0 are NDRAD-healthy and Theorem T.5.5.2} 


= RA o A (true h Pj) ] Vac RA o A (true h Qj) 
( ( * (RAl(/a/se) l A RA1 (true)) 


= RA o A 


{Theorem IT. 5.4.211 } 

\ \ 


A 


\ -i (RAl(Pj) ] A (-i s.wait A RA2 o RAl(/a/se))) / 


h 


\ RAl(Pj) (s G ac' < s.wait > (RA2 o RAl (true =>• Qj))) ) 


{Lemmas L.G.1.9 and L.G.2.4 and predicate calculus} 
( -i (false ] A RAl(im)) A -> (RAl(Pj) ] A false) \ 


= RA o A 


h 


\ RAl(Pj) ] A (s G ac' < s.wait > RA2 o RAl(<Jj)) / 


{Lemma L.F.1.1 and predicate calculus} 
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( -.(RAl(Pj) ; A false) 


= RA o A 


\ 


b 


\ RAl(Pj) (s G ad < s.wait > RA2 o RAl(Qj)) / 

{Lemma L.G.1.1, definition of ] A and substitution} 

( -i ({Pj)[{z | z G 0 A s.tr < z.tr}/ad] A3 z • s.tr < z.tr A z G 0) \ 


= RA o A 


b 


/ 


\ RAl(Pj) (s G ac' < s.wait > RA2 o RAl(Qj)) 

{Property of sets and predicate calculus} 
/ true \ 


= RA o A 


b 


\ RAl(Pj) ] A (s G ad < s.wait > RA2 o RA1(<5})) / 


□ 


Lemma L.G.6.1 NDrad (C/iaosRAD) = Choice^ ad 
Proof. 


NDrad^/mosrad) {Definition of ND RA d} 

= ChaosnAD Urad Choice rad {Theorem IT. 5.4. 131 } 

= RA o A (true b ad ^ 0) {Definition of Ghof ccrad } 

= Choice^ ad 


□ 


Lemma L.G.6.2 NDrad(« -Arad ^^Prad) — a, Grad STAprad 

Proof. 


NDrad (a Grad S^Prad) 

= « 4iad SkipRAD Urad Choice ^ad 


{Definition of NDrad} 


/ 


= RA o A 


true b (g) 

>—' i 


y 

ac' 


\ 


{Theorem |T.5.4.13] and definition of a Grad SVAprad } 
/ (y.tr = s.tr A a f: y.ref ) \ \ 

^ ( y.tr = s.tr ^ (a)) 


/ 


/ 


{Definition of a g RA d ST^Prad} 


— A “GRAD 57ApRAD 


□ 
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G.T Relationship with CSP 

G.7.1 Results with respect to R 

Theorem T.5.3.1 Provided P is PHNlU-healthy, ac2p o RA(F) = R o ac2p{P ) 


Proof. 

ac2p o RA(P) 

= ac2p o RA3 o RA2 o RA1(P) 
= R3 o ac2p o RA2 o RA1(P) 

= R3 o ac2p o RAl o RA2(P) 

= R3 o R1 o R2 o ac2p(P) 

= R o ac2p(P) 


(Definition of RA} 
(Theorem [TTrm 
(Theorem IT. 5. 2.101 } 
(Theorem IT. G. 7.21 } 
(Definition of R} 


6 

Theorem T.5.3.2 ac2p o RA o A(-> Pj b Pj) = R(-> ac2p(Pj) h ac2p(Pj)) 
Proof. 

ac2p o RA o A(-> Pj h Pj) 

= ac2p o RA o PBMH(-i P f f b Pj) 

= R o ac2p o PBMH(-> P f f b Pj) 

= R o ac2p(-> Pj b Pj) 

= R(-> ac2p(Pj) b ac2p(Pj)) 

□ 


(Theorem IT. G. 1.61} 
(Theorem IT. 5.3.11} 
(Lemma IL.C.5.361 } 
(Lemma IL.C.5.28T } 


Theorem T.G.7.1 Provided P is PBMH -healthy, 
ac2p o RA1(P) = R1 o ac2p(P) 


Proof. 


ac2p o RA1(P) (Definition of ac2p} 

= PBMH(RAl(P))[5fafejj(ma;_ 0 fc)/.s] j A /\x : outa- 0 k' • dash(s).x = x 


(Assumption: P is PBMH-healthy and Theorem T.5.2.5} 
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RAl(P)[Statejj(ina^gk)/s] ] A : outoi_ 0 k' • dash(s).x = x 

{Definition of RA1 (Lemma L.G.1.1)} 

/ ( P[{z \ z e ac' A s.tr < z.trjjac'} \ \ 

[State jj (ma_ 0 fc) / s] 


A 


\ 3 z • s.tr < z.tr A z G ac' 


/ 


iA 


\ /\ x : outa_ 0 k' • dash(s).x = x 


{Substitution} 


/ / P[S'tofejj(ma_ 0 / s )/s][{ 2 ; | z G ac' A fr < z.tr}/ac'] \ 


A 


\ 3 z • tr < z.tr A z £ ac' 


\ 


/ 


5.4 


/ 


\f\x : outoi—ok' • dash(s).x = x 

{Definition of ] A and substitution} 

/ P[Statejj(ina- 0 k)/s)[{z [ z e {s | /\x : outa_ 0 k' • dash(s).x = x} A tr < z.tr}/ac'] \ 


A 


\ 3 z • tr < z.tr A z G {s | f\ x : outa- 0 k' • dash(s).x = x} 

{Property of sets} 

/ P[Statej;j(inai-ok)/s][{z \ f\x : outa-ok 1 • dash(z).x = x A tr < z.tr}fad) \ 




A 




\ 3 z • tr < z.tr A (f\ x : outa_ 0 k> • dash(z).x = x) 

{Property of dash} 

/ P[Statejj (ina_ 0 k) / s][{z \ /\x : outa_ 0 v • dash(z).x = x A tr < dash(z) .tr'} / ac'} \ 


A 


\ 3 z • tr < dash(z).tr' A {f\ x : outa.- 0 k / • dash(z).x = x) 

{Transitivity of equality on dash(z).tr' = tr'} 

/ P[5'tofejj(ma_ 0 /;)/s][{2: | f\x : outot- 0 k' • dash(z).x = x A tr < tr'}/ac!\ \ 




A 


7 


\ 3 z • tr < tr' A (/\ x : outa._ 0 k' • dash(z).x = x) 

{One-point rule} 

/ P[Statejj;(ina_ 0 k)/s][{z \ /\x : outa_ 0 k' • dash(z).x = x A tr < tr'}/ac'} \ 

A 

\ tr < tr' J 

{Definition of ;^} 
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/ P[State jj (ina_ 0 jf) /s] (/\x : outa_ 0 k' • dash(s).x = x A tr < tr') \ 

= A 

\ tr < tr' ) 

{Assumption: P is PBMH-healthy and Lemma L.F.2.7} 

( (PBMH(P)[57atejj(ma_ 0 A ; )/s] j A (/\ x : outa-ov • dash(s).x = x)) \ 

A 

tr < tr' ) 

{Definition of ac2p} 

= ac2p(P) A tr < tr 1 {Definition of Rl} 

= Rl o ac2p(P) 


L.F.2. 


□ 


Theorem T.G.7.2 Provided P is PBMH -healthy, 
ac2p o RA1 o RA2(P) = Rl o R2 o ac2p(P) 


Proof. 


ac2p o RA1 o RA2(P) {Definition of ac2p} 

= PBMH(RA1 o HA2(P))[Statejj (ina- 0 k) / s] ', A f\x : outot- 0 k> • dash(s).x = x 
{Assumption: P is PBMH-healthy and Theorems |T.5.2.5 and T.5.2.11 }• 
= (RA1 o RA2(P))[Statejj(ina- 0 k)/ s\ ] A f\x : outa- 0 k' • dash(s).x = x 

{Lemma IL.G. 1.331 and definition of RA2} 


/ 


/ 


P[s © {tr (-)■ ()}/s) 


z G ac! A s.tr < z.tr 
• z © {tr i—^ z.tr — s.tr } 


/ ac! 


\ 


A 


y 3 z • z G ac' A s.tr < z.tr 


[State jj ( ina- c 


iA 


y f\x : outa- 0 k' • dash(s).x = x 


{Substitution} 
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/ 


f P[(Statejj(ina )) © {tr (-)■ ()}/s] 

z £ ac' A (State(ina- 0 k))- tr < z.tr 


\ 


A 


2 : © {tr 1 — > z.tr — (State jj (ina- 0 k))-tr} 
\ 3 z • z G ac' A (Statejj(ina- 0 k)).tr < z.tr 

iA 

\ f\x \ outa_ 0 ki • dash(s).x = x 

( 


/ ac' 


{Property of State jj and substitution} 


P[(Statejj (ina_ok)) © {tr i-A ()}/s] 


z E ac' A tr < z.tr 
• z® {tr 1—» z.tr — tr} 


/ ac' 


\ 


A 


y 3 z • z G ac' A tr < z.tr 


\ 


iA 


y /\ x : outa_ 0 ki • dash(s).x = x 


(Property of sets} 


/ 


y e <z 


( P[(Staten (ina_ ok )) © {tr ()}/s] 
z E ac' A tr < z.tr 
• z ® {tr (->• z.tr — tr} 
A 

\ 3 z • z E ac' A tr < z.tr 


/ ac’ 


iA 


\ f\ x : outa_ 0 k> • dash(s).x = a; 


/ 


^ P[(5'tatejj (ina)) © (tr 1 —>• ()}/s] 


(Property of sets} 

\ \ 


[{y \ 3 z • z E ac' A tr < z.tr A y = z ® {tr 1 —> z.tr — tr}}/ac'] 


A 


y 3 z • z E ac' A tr < z.tr 


iA 


y f\ x : outa • dash(s).x = x 


{Lemma. IL.G.1.81} 
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/ ( P[(Statejj(inoL- ok )) © {tr ha ()}/s] \ \ 

[{y \ V® {t r ^ tr ^ y.tr} € ac'j/ac'] 


V 


A 

3 z • 2 £ ac' A tr < z.tr 


) 


iA 


/ 


\ /\x : outa- 0 k' • dash{s).x = x 

{Definition of ] A and substitution} 

( P[(Statejj(ina- 0 k)) © {tr ha ()}/s] \ 

[{y | y © {tr H > tr ^ y.tr} £ {5 | f\ x : outa- 0 k' • dash{s).x = x}}/ac'] 


A 


/ 


y3z*z£{s|/\a;: outa_ 0 k’ • dash{s).x = x} A tr < z.tr 

{Property of sets} 

P[(5'tatejj(mo;_ ofc )) © {tr ha ()}/s] \ 

[{ 2 / | A x '■ outa- 0 k' • dash{y ® {tr ha tr ^ y.tr}).x = x} / ac'] 


A 


/ 


y 3 z • f\x : outot-ok' • dash{z).x = x A tr < z.tr 

{Property of ©} 

P[(^aiejj(ma;_ 0 fc)) © {tr ha ()}/s] 

[{ 2 / A :c : outa_ 0 k' • dash{{tr} <3 y).x = x A das/i({tr 1 -A tr ^ y.tr}).tr' = tr'}/ac'] 


\ 


A 


y 3 z • A x '■ outa- 0 k■> • dash(z).x = x A tr < z.tr 


{Property of dash} 


* P[(Staten(ina-ok)) © {tr ha ()}/s] ^ 

[{ 2 / | A x '■ outa- 0 k' • dash{{tr} <3 y).x = x A {{tr' ha tr ^ y.tr}).tr' = tr'}/ac'] 

A 

y 3z • f\x : outa_ 0 k' • dash{z).x = x A tr < dash{z).tr' j 

{Value of record component tr'} 

( P [{Staten(ina- ok )) © {tr ha ()}/s] ^ 

[{y | A x '■ outot—ok' • dash{{tr} <a y).x = x A tr ^ y.tr = tr'}/ac'] 

A 

y 3z • /\x : outa_ 0 k' • dash{z).x = x A tr < dash{z).tr' j 

{Property of sequences} 
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* P[(Statejj(ina_ ok )) © {tr ()}/s] ^ 

[{y [ f\x : outa- 0 k' • dash({tr} <3 y).x = x A tr' — tr = y.tr A tr < tr'}/ac'] 

A 

y 3 z • f\ x : outa_ 0 k’ • dash(z).x = x A tr < dash(z).tr' y 

{Property of dash} 

( P[(Statejx(ina-ok)) © {tr i-a ()}/s] ^ 

[{y [ /\x : outa_ 0 k' • dash({tr} <3 y).x = x A tr' — tr = dash(y).tr' A tr < tr'}/ac'] 

A 

y 3 z • f\ x : outa- 0 k' • dash(z).x = x A tr < dash(z).tr' y 

{Transitivity of equality on tr' £ outa_ ok /} 


* P[(Statejj (ina-ok)) © {tr i-a ()}/s] \ 

[{y | /\x : outa.- 0 k' • dash({tr} <3 y).x = x A tr' — tr = dash(y).tr' A tr < tr'}/ac'] 


A 


y 3 z • f\x : outoi- 0 k' • dash(z).x = x A tr < tr' 

{One-point rule} 

f P[(Stateu(ina_ ok )) © {tr i-a ()}/s] \ 

[{ ?/ | /\x : outoi- 0 k’ • dash({tr} <3 y).x = x A tr' — tr = dash(y).tr' A tr < tr'} / ac'] 


A 

y tr < tr' 




{Assumption: P is PBMH-healthy and Lemma L.F.2.7 ]- 

* P[(Statejx (ina- 0 k)) © {tr t—)■ ()}/s] \ 

[{?/ | /\x : outa_ 0 k' • dash({tr} <3 y).x = x A tr' — tr = dash(y).tr'} / ac'] 

A 

y tr < tr' 

{Substitution} 

* P[(Statejj(ina- ok )) © {tr t—)■ ()}/s] \ 

[{v I A x : outot—ok’ • dash({tr} <3 y).x = x A tr' = dash(y).tr'}/ac'] [tr' — tr/tr’] 




A 

y tr < tr' 




{Property of <3} 


f P[(State jj [ina_ ok )) © {tr (->■ ()}/s] \ 

[{y | A ^ : outot— ok ' • dash(y).x = x}/ac'] [tr' — tr/tr'] 


A 

y tr < tr' 


{Property of State jj and substitution} 
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^ P[State IZ (ina_ ok )/s][()/tr\ ^ 

[{y [ f\x : outa-ok> • dash(y).x = x}/ac'] [tr' — tr/tr'} 

A 

^ tr < tr' j 

{Property of substitution: tr not free in set comprehension} 

/ P[State jj (ina_ 0 k)/s][{y j f\x : outa_ ok ' • dash(y).x = x}/ac'][(),tr'— tr/tr, tr'] \ 
= A 

\ tr < tr' J 

{Definition of ; A } 

/ {P[Stateu(inoL- 0 k)/s] /\x : outa- 0 k’ • dash(s).x = x)[(),tr' — tr/tr, tr'] \ 

= A 

\ tr < tr 1 J 

{Assumption: P is PBMH and definition of ac2p} 

= ac2p(P)[(), tr' — tr/tr, tr 1 ] A tr < tr {Definition of R2 and Rl} 

= Rl o R2 o ac2p(P) 


□ 


Theorem T.G.7.3 ac2p o RA3(P) = R3 o ac2p(P) 


Proof. 


{Definition of RA3} 
{Lemma IL.C.5.321 } 


ac2p o RA3(P) 

= ac2p(IT RAD < s.wait > P ) 

= ac2p(IT RAD ) <d s.wait[Statejj (ma_ ok )/s] > ac2p(P) 

{Definition of State jj and substitution} 

= ac2p(IT RAD ) <3 wait > ac2p(P) {Theorem IT. G.7. 41 } 

= E rea <3 wait > ac2p(P ) {Definition of R3} 

= R3 o ac2p(P) 


□ 


Theorem T.G.7.4 Provided outa = {tr', ref, wait'}, 
ac2p(H RAD ) Urea 
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Proof. 


{Definition of Hrad} 


ac2p(JT RAD ) 

= ac2p(RAl(-i ok) V (ok' A s G ac ')) 

{Distributivity of ac2p (Theorem T.C.5.1)} 
= ac2p o RAl(-i ok) V ac2p(ok' A s G ac') 


{-i ok is PBMH-healthy and Theorem |T.G.7.1|} 
= R1 o ac2p(~^ ok) V ac2p(ok' A s G ac') {Lemma IL.C.5.271 } 

= Rl(-< ok) V ac2p(ok' A s6 ac') {Lemma IL .C.5. 261 } 

= Rl(-< ok) V (ofc' A ac2p(s e ac')) 


{Assumption: ina_ 0 k = {fr, re/, wait} and Lemma L.C.5.34} 


= Rl(-< ok) V (ok' A tr' = tr A re/' = re/ A waif' = wait ) {Definition of Ur. ea } 


= E, 


m 


Theorem T.5.3.3 p2 ac o R(P) = RA o p2ac(P) 
Proof. 

p2ac o R(P) 

= p2ac o R3 o R1 o R2(P) 

= RA3 o p2 ac o R1 o R2(P) 

= RA3 o p2 ac o R1 o R1 o R2(P) 

= RA3 o RA1 o p2ac o R1 o R2(P) 

= RA3 o RA1 o RA2 o p2ac(P) 

= RA3 o RA2 o RAl o p2ac(P) 

= RA o p2ac(P) 


{Definition of R} 
{Theorem IT. G. 7.101 } 
{Rl-idempotent} 
{Theorem lTG.7.81} 
{Theorem IT. 0.7.91} 
{Theorem IT. 5. 2.101 } 
{Dehnition of RA} 


□ 

Theorem T.5.3.4 p2ac o R(-i pj h Pj) = RA o A(-> p2ac(Pj) h p2ac(Pj)) 
Proof. 


p2ac o R(-i Pj h Pj) {Theorem IT . 5 .3. 3l and definition of RA} 

= RA3 o RA2 o RAl o p2ac(-> Pj h Pj) {Dehnition of RAl} 
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RA3 o RA2 o RAl(p2ac(-i Pj b Pj ) A ad d 0) 

RA3 o RA2 o RAl((-i p2ac(Pj ) b p2ac(Pj )) A ac’ d 0) 

RA(-i p2ac(Pj) b p2ac(Pj )) 

RA(-i PBMH o p2ac(P f f ) b PBMH o p2ac(P})) 

RA o Al(-i p2ac(Pj) b p2ac(P t )) {Definition of RA and Theorem IT . 5 . 2 . 1 1} 
RA o AO o Al(-i p2ac(Pj:) b p2ac(P t )) {Definition of A} 

RA o A(-< p2ac(Pj) b p2ac(P t )) 


{Theorem IT. 4.6. 41} 
{RA1 and RA} 
{Lemma IL.4.6.11} 
{Definition of Al} 


□ 


Theorem T.G.7.5 p2ac o R(-i pf b P') = RA(-> p2ac{Pf) b p2ac(P t )) 


Proof. 

p2ac o R(-i P^ b P l ) {Theorem IT. 5.3. 31 } 

= RA o p2ac{~^ pf b P l ) {Definition of RA} 

= RA3 o RA2 o RAl o p2ac(~^ pf b P l ) {Definition of RA1} 

= RA3 o RA2((p2 flc(-> P f b P l ) A ad d ®)[Statestr<tr'(s) H ac' / ad}) 

{Theorem IT. 4.6. 41} 

= RA3 o RA2((-< p2ac(pf ) b p2ac(P t )) A ad d ^)[States tr <tr'{ s ) bl ad/ad}) 

{Definition of RAl} 

= RA3 o RA2 o RAl(-i p2ac(pf) b p2ac(P t )) {Definition of RA} 

= RA(-i p2ac(pf ) b p2ac(P t )) 


□ 


Theorem T.G.7.6 

p2ac o R(-i pf b P ') 

RA o A(-< p2ac(pf ) A (-< pf[s/ina] ; true ) b p2ac(P t )) 

Proof. 

p2ac o R(-i P f b P l ) {Theorem IT. G. 7.71 1 

= RA(-> p2ac(P f ) A (-. P f [ s/ ina] ; true ) b p2ac(P t )) {Predicate calculus} 
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= RA(-< (p2ac(pf) V -■ (-1 pf[s/ina] ; true)) h p2ac(P t )) 

{Lemmas IL.4.6.11 and IL.E.4.51} 

/ -i (PBMH o p2ac(Pf) V PBMH o (-i (-i pf[s/ina] ; true))) \ 


= RA 


h 


7 


= RA 


\ PBMH o p2ac(P t ) 

{Distributivity of PBMH (Theorem T.E.2.2)} 
( -i PBMH(p2ac(P^) V (-< (-> pf[s/ina] ; true))) \ 

{Lemma IL.4.2.21} 


h 


y PBMH o p2ac(P t ) ) 

= RA o PBMH(-> p2ac(pf) A (-> pf[s/ina\ ; true) h p2ac(P t )) 

{Theorem IT. G. 1.61} 

= RA o A(-< p2ac(P f ) A (-> P f [s/ina\ ; true) h p2ac(P t )) 


0 


Theorem T.G.7.7 

p2ac o R(-i pf |- P 4 ) 

RA(-< p2ac(P f ) A (-> P f [s/ina\ ; true) h p2ac(P t )) 


Proof. 

p2ac o R(-i pf h P 4 ) {Theorem IT. 5.3. 31 } 

= RA o p2ac(-^ pf h P 4 ) {Definition of RA} 

= RA3 o RA2 o RAl o p2ac(~^ pf h P 4 ) {Definition of RA1} 

= RA3 o RA2((p2ac(-> P f h P 4 ) A ac' ^ 0) [{z \ z G ac' A s.tr < z.tr}/ac ']) 

{Theorem IT. 4.6. 51} 

= RA3 o RA2((d2ac(-> pf h P 4 ) A ac' ^ 0)[{z | z 6 ac' A s.tr < z.tr}/ac']) 

{Definition of RAl} 

= RA3 o RA2 o RAl o d2ac(~^ pf h P 4 ) {Definition of RA and d2ac} 

= RA(-< p2ac(P f ) A (-> P^[s/ma] ; true) h p2ac(P t )) 

□ 


Theorem T.G.7.8 RAl o p2ac(P) = p2ac o R1(P) 
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Proof. 


RA1 o p2ac(P) {Definition of p2ac} 

= RAl(3z • P[s,z/ina- 0 k, outa_ 0 k>] A undash(z) £ ac') 


{Definition of RA1 (Lemma L.G.1.1)} 


/ 


/ 3 z • P[s,z/ina_ 0 k, outa- 0 k/] \ 


A 


\ undash(z) £ ac' 
y A 3 z • s.tr < z.tr A 2 G ac 1 


\ 


[{z | z G ac’ A s.tr < z.tr}/ad) 


{Substitution-, ac' not free in P} 

\ \ 


{Property of sets} 


/ 3 z • P[s, z/ ina-ok , 

A 

\ undash(z) £ {z \ z £ ac' A s.tr < z.tr} ) 

A3 z • s.tr < z.tr A z £ ac' 

( 3 z • P[s,z/ina_ 0 k, outa_ 0 k'] \ \ 

A 

y undash(z) £ ac' A s.tr < undash(z) .tr ) 
y A 3 z • s.tr < z.tr A z £ ac' 

{Predicate calculus: implication} 

3 z • P[s, z/ inot_ 0 k, outa_ ok '} \ 

= I A {Property of undash} 

undash(z) £ ac' A s.tr < undash(z).tr ) 

— 3 z • P[s,z/ina_ ok , outa_ 0 .*/] A s.tr < z.tr' A undash(z) £ ac' {Substitution} 
= 3 z • (P A tr < tr')[s,z/ina_ ok , outa_ ok '] A undash(z) £ ac' 

{Definition of p2ac} 

= p2ac(P A tr < tr') {Definition of Rl} 

= p2ac o R1(.P) 


□ 


Theorem T.G.7.9 p2ac o Rl o R2(P) = RA2 o p2ac(P) 

Proof. 

RA2 o p2ac(P) {Definition of p2ac} 

= RA2(3z • P[s,z/ina- 0 k, outa_ ok '] A undash(z) £ ac') {Definition of RA2} 
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3 z • P[s, z/ina_ 0 k, outa_ ok '] 
A undash(z) E ac' 


s ® (tr (->• ()}/s, 

{z | ad A s.tr < z.tr • z (B {tr z.tr — s. tr} / ad 
(Substitution: ad not free in P} 

3 z • P[s, z/zna_ 0 fc, cmta:_ 0 */] [s © (tr (->• ()}/s] 

A undash(z) £ {z \ z E ad A s.tr < z.tr • z © {tr (->• z.tr — s.tr} 

(Property of sets and variable renaming} 

3 z • P[s, z /ina_ 0 k, outa_ 0 k'] [s © {tr i-» ()}/s] 

A 3 y • y E ad A s.tr < y.tr A undash(z) — y © {tr (->• y.tr — s.tr} 

(Property of undash, dash} 

3 z • P[s, z /ina_ 0 k, outa_ 0 k'] [s © {tr H» ()}/s] 

A 3 y • y E ad A s.tr < y.tr A dash o undash(z) = dash(y © {tr i-> y.tr — s.tr}) 

(das/i o undash(z) = z} 

3 z • P[s, z /inoi- 0 k, outoL_ 0 ki] [s © {tr (->• ()}/s] 

A 3 y • y E ad A s.tr < y.tr A z — dash(y © {tr H> y.tr — s.tr}) 

(Property of dash} 

3 z • P[s,z/ina- 0 k, outa^ ok '][s © (tr (->• ()}/s] 

A 3 y • y E ad A s.tr < y.tr A z — dash(y) © {td (->• y.tr — s.tr} 

(Introduce fresh variable} 

/ 3 z, t • P[s,z/ina- ok , outa- ok >][s © {tr (->• ()}/s] \ 

A 3 y • y E ad A s.tr < y.tr A z — t © {td (->• y.tr — s.tr} 

\ A t = dash(y) ) 

(One-point rule} 

/ 3 t, y • P[s, z /ina_ ok , outa_ ok '][s © {tr (->• ()}/s][t © {td (->• y.tr — s.tr}/z] \ 

A y E ad A s.tr < y.tr 

\ A t — dash(y) ) 

(Property of undash o dash} 

/ 3 t, y • P[s, z /ina- 0 k, outa- ok '] [s © (tr (->• ()}/s][t © (tr' (->• y.tr — s.tr}/z] \ 

A y E ad A s.tr < y.tr 

\ A undash(t) = y ) 

(One-point rule} 

3 t • P[s, z /ina- 0 k, outa- 0 k'][s © (tr (->• ()}/s][t © {td (->• undash(t).tr — s.tr}/z] 

A undash(t) E ad A s.tr < undash(t).tr 


(Property of undash} 
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3 t • P[s,z/ina_ ok , outa_ ok '][s © {tr H y ()}/s][i © {tP (->■ t.tr 1 — s.tr}/z] 

A undash(t) G ac' A s.tr < t.tr' 

{Lemma IL.D.1.31} 

3 t • P[s,t/ina_ ok \ {tr}, outa_ ok > \ {tr'}][{}/tr][t.tr' — s.tr/tr'] 

A undash(t) e ac' A s.tr < t.tr' 

{Substitution} 

3 z • P[s, z/ina- ok: \ {tr}, outa- ok ' \ {tr -7 }][(), z.tr' — s.tr/tr, tr'] 

A s.tr < z.tr' A undash(z) G ac' 

{Lemma IL .D. 1. 51 and substitution} 

= 3 z» (P[(),tr' — tr/tr,tr'][s,z/ina- ok , outa-ok') A s.tr < z.tr') A undash(z) G ac' 

{Substitution} 

= 3 z • (P[(), tr' — tr/tr, tr'] A tr < tr')[ s, z/inat- ok , outa- ok >] A undash(z) G ac' 

{Definition of R2 and Rl} 

= 3 z • (Rl o R2(P))[s, z/ina- 0 k, outa- ok >] A undash(z) G ac' 

{Definition of p2ac} 

= p2ac o Rl o R2(P) 


Q 


Theorem T.G.7.10 p2 ac o R3(P) = RA3 o p2ac(P) 


Proof. 

p2ac o R3(F) 

= p2ac(E rea <3 wait > P ) 

= p2ac(E rea ) <3 s.wait \> p2ac(P) 
= If rad <1 s.wait > p2ac(P) 

= RA3 o p2ac(P) 


{Definition of R3} 
{Lemma IL.C.5.11} 
{Lemma IL.G.7.21} 
{Definition of RA3} 


□ 


Lemma L.G.7.1 

JIrad = (-i ok A 3 z • s.tr < z.tr A z G ac') V (ok 1 A s G ac') 
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Proof. 


^RAD 

= RAl(-i ok) V {ok' A s E ac 7 ) 


{Definition of Hrad} 


{Definition of RA1 (Lemma L.G.1.1)} 
((-ofc)[{*Ue ac' A s.tr < z.tr}/ac '] A 3 z • s.tr < z.tr A z E ac') \ 


V 


\ ( ok 7 A s G ac 7 ) 

= (-1 ok A 3 2 • s.tr < z.tr A z E ac') V ((A 7 As6 ac 7 ) 


/ 

{Substitution} 


a 


Lemma L.G.7.2 p2ac(IL rea ) = JTrad 


Proof. 


{Definition of U rea } 


p2ac(E rea ) 

(-i ok A tr < tr') 

= p2ac | V 

(ok' A tr' = tr A wait’ = wait A ref = ref A v' = v) ) 

{Definition of p2ac} 

( ( (-i ok A tr < tr') \ \ 

[s, ijina_ 0 k, outa_ 0 y] 


= 3z 


V 


\ (ok' A tr' = tr A wait' = wait A ref = ref A v' = v) ) 
y A undash(z) E ac' 


= 3z 


{Substitution} 

\ \ 


= 3y 


^ ( (-i ok A s.tr < z.tr') 

V 

(ok' A z.tr' = s.tr A z.wait! = s.wait A z.ref = s.ref A z.v' = s.v) ) 
y A undash(z) E ac' 

{Lemma IL.D.2.51} 

/ f (-i ok A s.tr < z.tr') \ \ 

V 

( ok' A z.tr' = s.tr A z.wait' = s.wait 
A z.ref = s.ref A z.v' = s.v J 

\ A y E ac' ) 

{Substitution} 


[dash(y)/z\ 
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( ( (-> ok A s.tr < dash(y).tr') \ \ 

V 

= 3 y • I ok' A dash{y).tr' = s.tr A dash(y).wait' = s.wait 

y y A dash{y).ref = s.ref A dash(y).v' = s.v J J 

\ A y G ac! ) 

{Property of dash} 

/ / (-i ok A s.tr < y.tr ) \ \ 

V 

\ ( ok' A y.tr = s.tr A y.wait = s.wait A y.ref = s.ref A y.v = s.v ) / 
y A y E ac' 

{Equality of records} 

= 3 y • ((-i ok A s.tr < y.tr) V (ofc 7 A y = s)) A y G ac' {Predicate calculus} 

= (-■ ofc A 3 y • s.tr < y.tr A y G ac') V(3j/«of'Ai/ = sA!/6 ac') 

{One-point rule} 

= (-■ ofc A 3 y • s.tr < y.tr A y G ac') V (o&' A s G ac') 

{Definition of Hrad (Lemma L.G.7.1)} 


= 3?/ 


= JT 


RAD 


□ 


G.7.2 ac2p 

Lemma L.G.7.3 Provided ac' is not free in P, 

ac2p((&) y ,(P)) = P[Staten{ina)/s][undash(Statejj(outa- 0 k'))/y] 


Proof. 

ac2p((e) y ac ,(P)) { Lemma IL. C. 5.41 1} 

= ac2p(P[{y} fl ac' / ac})[undash(State ]2 (outa- 0 k')) / y] 

{Assumption: ac' is not free in P} 

= ac2p(P)[undash(Statepp (outa- 0 k'))/y] {Lemma IL.C.5.301 } 

= P[Staten(ina) /s] [undash^Statepj (outa- 0 k>)) / y] 

□ 
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Lemma L.G.7.4 

ac2p(P ) ; ac2p(Q) 


( (3 ac' • P[Statejp(ina- ok)/s\[oko/ok'] A ac' C {?/}) 


3 oko, y 


A 


\ (3 ac' • Q[y/s][oko/ok] A ac' {z \ /\x : outa- 0 k’ • dash(z).x = x 


Proof. 

ac2p(P) ; ac2p(Q) {Definition of ac2p (Lemma 

/ / P[Statejj(ina- ok )/s] \ \ 

3 ac' • A 

\ ac' C {z | /\ x : outa_ 0 k< • dash(z).x — x) ) 

( Q[Statejj(ina-ok)/ 

A 

\ ac' C {z j f\x : outa_ 0 k' • dash(z).x — x} ) J 


L.C.5.2C 


3 ac' 


\ 

( 


\ 


3 ac' 


( P[Statejp(ina_ 0 k)/ s] 


. U UjUVC—Qfcr * J .Jb Ju j y y 

{Expand conjunction, where x ranges over x^ 
A/J \ \ 


to 


3 ac' 


A 

\ ac' C {z | dash(z).x' 0 = x' 0 A ... A dash(z).x' n = x' n } J 
f Q[Stateii(ina.- ok )/s] \ 


\ 

( 


A 

\ ac! C 


3 ac' 


C {z | /\ x : outa_ 0 k’ • dash(z).x = x} J J 

{Property 

\ \ 


of 


/ P[S'fafejj(ma'_ 0 fe)/i 


A 

\ ac' C {z | z.xo = Xq A ... A z.x n = x' n } J 


3 ac' 


/ <3[<SWejj (ina^ 0 k)/& 


V 


\ 


A 

\ ac 


{Definition of 


;/ V. {z | A x : outa- 0 k' • dash(z).x = x} ) J 
sequential composition, where the vector x ranges 


over 
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= 3 oko, x 


/ P[State ij (ina_ 0 k)/s\ 


3 ad 


A 


3 ac' 


A 


\ \ 

[oka, x/ok', x'] 


= 3 ok 0 , x 


3 ac' 


A 


3 ac' 


\ ac' C {z | = x' 0 A ... A z.x n = / 

/ <5[5tatejj(ma_ ofc )/s] \ 

A [ok 0 , x/ok, x] 

\ ac' C {z | /\x : outa_ 0 k' • dash(z).x — x} J ) 

{Substitution} 

/ P[/S'iaiejj(ino:_ 0 fc)/s][oAo/oA:'] \ \ 

A 

\ ac' C {z | z.xq — cto A ... A z.x n = x n } J 

f Q[Statej;j (ina_ 0 k)/s][oko, x/ok, x] \ 

A 

\ ac' C {z | /\x : outa- 0 k’ • dash(z).x = x} ) J 

{Lemma IL.D.1.91} 


= 3 oko, x 


/ P[Stateji ( inot- 0 k )/s] [oko/ok'] 


3 ac' 


A 


3 ac' 


\ 


A 


\ 


\ ac' C {z | z.a<) = Xq A ... A z.x n = £„} / 
/ / 3 s: State(ina-ok) • Q \ 


A 


\ 


[oko, x/ok, x\ 


(/\ x : ina- 0 k • s.x — x) ) 


A 


7 


\ ac' C {z j /\x : outa_ 0 k' • dash(z).x = x} J 

{Introduce fresh variable y} 


( 


= 3 oko, x 


/ P[Statejj ( inot- 0 k )/s] [oko/ok'] 


3 ac' 


A 


3 ac' 


\ 


A 


\ 


\ ac' C {z | z.xq — cto A ... A z.x n = x n } J 


( 


( 3y : State(ina_ 0 k) • Q[y/s] \ 


A 


\ 


[oko, x/ok, x] 


\ (A x : ina- 0 k • y.x = x) ) 


A 


7 


\ ac' C {z j /\x : outa_ 0 k' • dash(z).x = x} J 

{Expand conjunction} 
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/ 


= 3 oko, x 


( P[State n (ina - ok)/s][oko/ok'] 


3 ac' 


A 


3 ac' 


\ 


A 


\ 


\ ac' C {z | z.xq — xq A ... A z.x n = x n } ) 


( 


( 3y : State(ina- ok ) • Q[y/s] \ 


A 


[o/co, x/ ok, x 


\ (y.a<j = 3b A ... A ?/.s n = s n ) / 


A 


/ 


/ 


= 3 o/cq, s 


3 ac' 


A 


3 ac' 


\ ac' C {z \ /\ x : outa- 0 k' • dash(z).x = x} ) 

{Substitution} 

/ P[Stateu(ina- 0 k)/s][oh)/ok'] \ \ 

A 

\ ac' C {z | z.x o = Sq A ... A z.x n = x n } ) 


( l 3 y : State(ina-ok) • Q[y/s][oko/ok\ \ \ 
A 

\ {y-Xo = So A ... A ?/.s n = x n ) 

A 


V 


y 


y 


\ ac' C {z | f\ x : outa_ 0 k' • dash(z).x = x} ) 

{Predicate calculus} 

/ / P[/S'iaiejj(irao;_ 0 fc)/s][ofco/oA;'] \ \ 

A 

\ ac' C {z | z.Xq = So A ... A z.s n = s n } y 


3 ac' 


A 


= 3 o&o, x,y 


( 


l Q[y/s][oko/ok] 


\ \ 


3 ac' • 


v 


A 

\ (y-Xo = So A ... A y.x n = x n ) ) 

A 

\ ac' C {z | /\s : outa_ 0 k' • dash(z).x = x) ) ) 

{One-point rule} 



G.7. RELATIONSHIP WITH CSP 


593 


= 3 ok 0 , y 


/ P[Statejj (ina_ 0 k)/s)[oko/ok'} 


3 ad 


A 


3 ac' 


\ 


A 




\ ac’ C {z | z.xq = 2/-a3o A ... A z.x„ = ?/.x n } / 


/ Q[l//s] [oAb/ofc] 


\ 


A 




\ \ ad C {z | /\x : outa_ 0 k' • dash(z).x — x} ) 

{Equality of records} 

/ / P [<SWejj (ma:_ O fc)/s][o^o/ofc'] \ \ 

3 ad • 


= 3 ok 0 , j/ 


A 


A 


3 ac' 


\ ac' C {z | z = y} 

( Q[y/s][oko/ok\ 

A 


/ 


\ 


/ 


= 3 o/j 0 , y 


\ ac' C {z | /\ x : outa- 0 k> • dash(z).x = x} J 

{Property of sets} 

f (3 ad • P[Statejj (ina- O k)/s][oko/ok'} A ad C {?/}) 

A 


\ 


\ (3 ad • Q[y/s][oko/ok] A ad C {z \ /\ x : outa_ 0 k> • dash(z).x = x}) / 

□ 


Lemma L.G.7.5 

ac2p(P) j ac2p(Q) 

/ (P[0/ac'] V P[{?/}/ac'])[5'tatejj(mo:_ 0 fc)/s][o/cb/oA;'] ^ 

3 o/so, y • A 

\ (3 ac' • Q[y/s\[oko/ok] A ad C {z \ /\x : outa- 0 k> • dash(z).x = x}) ) 


Proof. 


ac2p(P ) ; ac2p(Q ) 


{Lemma IL.G.7.41} 


= 3 ofc 0 , y 


f (3 ac' • PfS'tatejj (ma_ ok)/s][oko/ok'} A ad C {y}) \ 

A 

\ (3 ac' • Q[y/s][oko/ok] A ad C {z \ f\ x : outa- 0 k' • dash(z).x = x}) J 

{Case analysis on ad and substitution} 
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APPENDIX G. REACTIVE ANGELIC DESIGNS (RADj 


= 3oko,y 


= 3oko,y 


( / P[Statejj (ina_ 0 k)/s)[oko/ok'][{/)/ac'} ^ 

V 

\ P[Statejj(ina- ok ) / s][oko/ok'][{y}/ac'] ) 

A 

\ (3 ac' • Q[y/s][oko/ok\ A ac' C {z | /\ x : outa- 0 k' 


\ 


dash(z).x = x}) ) 
{Substitution} 


( (P[0/ac'] V P[{y}/ac'])lStateu(inoi- 0 k)/s^ok®/ok'] ^ 

A 

\ (3 ac' • Q[y / s\[ok 0 / ok] A ac' C {z j /\ x : outa_ 0 k> • dash(z).x = x}) ) 


□ 


Lemma L.G.7.6 

ac2p(P) ; ac2p(Q) 

( (3 ac' • P[Statejj(ina_ 0 k)/s\ A ac' C {s'}) N ' 

; 

\ (3 ac' • Q A ac' C {z | /\ x : outa-ow • dash(z).x = x}) / 


Proof. 


ac2p(P) ; ac2p(Q ) 


= 3 ofc 0 , y 


= 3 ofco, y 


= 3 o&o, y 


{Lemma IL.G.7.41} 

( (3 ad • P[Stateu(ina_ 0 if)/s\[oko/ok'] A ac' C {?/}) ^ 

A 

\ (3 ac' • Q[y/s][oko/ok] A ac' C {z | /\ x : outa- 0 k' • dash(z).x = x}) / 

{Introduce fresh variable s'} 

( (3 ac'• P[Statexj (ina-ok)/s][oko/ok'] A ac'C {s'})[y/s'] ^ 

A 

\ (3 ac' • Q[y/s] [oko/ok] A ac' C {z \ f\ x : outa_ 0 k' • dash(z).x = x}) / 

{Substitution} 

/ (3 ac' • P[State jj (ina_ 0 k)/s] A ac' C {s'})[o/co, y/ok', s'] \ 

A 

\ (3 ac' • <5 A ac' C {z | /\ x : outa- 0 k> • dash(z).x = x})[ofco, y/ok , s] / 

{Definition of sequential composition} 
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/ (3 ac' • P[Statejj{ina- 0 k )/ s] A ac' C {s'}) ^ 

\ (3 ac' • Q A ac' C {z | /\ x : outa- 0 w • dash(z).x = x}) / 

□ 


Lemma L.G.7.7 


ac2p(P ) ; ac2p(Q) 


( P[$/ac'}[Statej;p(ina_ 0 k)/s][ok 0 /ok'} 


3 o/c n 


\ 


A 


\ 


V 


\ (3 ac', s • Q[oko/ok] A ac 1 C {z | /\ x : outct- 0 u • dash(z).x = x}) J 

( P[{s'}/ac'][Statejj(ina- ok )/s\ ^ 

; 

\ (3 ac' • (J A ac' C {z | /\ x : outa_ 0 k' • dash(z).x = x}) J 




Proof. 


ac2p(P) ; ac2p(Q ) {Lemma IL.G.7.41} 

/ (P[0/ac'j V P[{?/}/ac'])[5'tatejj(mQ;_ 0 fc)/s][oA<)/oA:'] \ 


= 3 o/j 0 , y 


= 3 o/j 0 , y 


A 

\ (3 ac' • <5[2//s][ofco/ofc] A ac' C {z | /\ x : outot- 0 k> • dash(z).x = x}) / 

{Substitution} 

( ( P[®/ ac'][Stateix(inoL- ok )/s][okQ/ok'] \ \ 

V 

V P[{y}/ac'jlStateutinoi-ok)/s\[oko/ok'} ) 

A 

\ (3 ac' • Q[y/s][oko/ok] A ac' C {z\ /\x : outa- 0 k' • dash(z).x = x}) J 

{Predicate calculus} 
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APPENDIX G. REACTIVE ANGELIC DESIGNS fRAD) 


P[0/ ac'] [State u (ina_ 0 k )/s] [ok®/ok'} 


(/Sac' • Q[y / s][ok® / ok] A ac' C {z \ /\x : outa- 0 k> • dash(z).x = x}) 


= 3oko,y» V 


/ P[{y}/ac'}[State jj ( ina- Q k )/s] [o/co/o/c'] 

A 

\ \ (3 ac' • <?[2//s][ofeo/ofc] A ac' C {z | /\x : outa_ 0 k’ • dash(z).x = a;}) 

{Predicate calculus} 

( P[0/ac'] [ .State jj (ma_ 0/ t) /s] [o/co/ o/c'] 

3 oAo, 2/ • A 

\ (3 ac' • <?[2//s][ofco/ofc] A ac' C {z | /\x : outa- 0 k' • dash(z).x = a;}) 


/ P[{2/}/ac'] [<State jj (ina_ 0 k) /s][ oAq/ o&'] 

3 o&o, y • A 

\ (3 ac' • <3[?// s ][ 0 W 0 ^] A ac' C {z | /\ a; : outct- 0 k> • dash(z).x = a;}) 
{Predicate calculus and property of substitution} 

( P[0/ ac'] [S'tatejj (ma_ 0 J/s] [o/co / ok'} ^ 

A 

(3 ac', s • Q[ok o/ofc] A ac' C {z | /\ x : outa_ 0 k' • dash(z).x = x}) / 


/ P[{?/}/ac'] [.State jj ( ina- Q k ) /s] [ofco/oA;'] 

3 o/co, y • A 

\ (3 ac' • <3[2// 5 ][°W 0 ^] A ac' C {z | /\x : outa- 0 k' • dash(z).x = x}) 

{Introduce fresh variable s'} 

( P$/ac'][Stateu(ina._ 0 i.)/s][ok®/ok'] ^ 

3 ok® • A 

\ (3 ac', s • Q[ok o/ofc] A ac' C {z | /\ x : outa- 0 k' • dash(z).x = x}) / 


( P[{s'}/ac'][Statejj (ina- 0 k)/s][ok®/ok'][y/s'] 

Sok®,y A 

\ (3 ac' • Q[y/s][ok®/ok] A ac' C {z | /\x : outa_ 0 k' • dash(z).x = x}) 

{Definition of sequential composition} 
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/ P[0/ac'] [.Sfatejj ( ina_ 0 k ) /s] [o&o/oA;'] 


3 ofci 


\ 


A 




V 


\ (3 ac', s • Qfofco/ofc] A ac' C {z j /\ x : outa- 0 k> • dash(z).x = a;}) / 
/ P[{s'}/ac'][5'tatejj(ma_ 0 fc)/s] \ 

5 

\ (3 ac' • <5 A ac' C {2 | /\ X : outa_ 0 k' • dash(z).x = x}) j 


B 


G.7.3 p2ac 

Theorem T.G.7.11 p2ac{P ; Q ) = p2ac{P) ; Vac p2ac(Q ) 


Proof. 

p2ac(P) ; Vac p2ac(Q) {Definition of ] Vac } 

= 3 ok o • p2ac(P)[oko/ok'] \ A p2ac(Q)[oko/ok] { Lemmas IL.C.5.8l and IL.C.5.161} 
= 3 oko • p2ac(P[oko/ok'}) \ A p2ac(Q[oko/ok]) {Theorem IT.G.7.121 } 

= 3 oko • p2ac(P[oko/ok'] ; Q[oko/ok]) {Lemma IL .C.5.1 51 } 

= p2ac(3 oko • P[oko/ok'] ; Q[oko/ok}) {Definition of sequential composition} 
= p2ac(P ; Q) 


□ 


Theorem T.G.7.12 Provided ok' is not free in P and ok is not free in Q, 
p2ac{P) ; A p2ac{Q) = p2ac(P / Q) 


Proof. 

p2ac(P) \ A p2ac(Q) {Definition of p2ac} 

= (3 z • P[s,z/ina- 0 k, outa- 0 k>] A undash(z) G ac') ] A p2ac(Q) 

{Definition of ] A and substitution} 

= 3 z • P[s,z/ina- 0 k, outa- 0 k'} A undash(z) G {s | p2ac(Q)} {Property of sets} 
= 3 z • P[s, z/ina- 0 k, outa_ 0 k>] A p2ac(Q)[undash(z) / s] {Definition of p2ac} 
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APPENDIX G. REACTIVE ANGELIC DESIGNS (B AD) 


P[s, z/ ina._ 0 ki outa_ ok '} \ 

A 

(3 t • Q[s,t/ina- 0 k, outa- 0 k'] A undash(t ) e ac')[undash(z) / s\ ) 

{One-point rule} 

P[ s, z/ ina-ok, outa- ok >} \ 


( Q[ s, t /ina- 0 k, outoi_ ok '} 

3t,s • A 

\ s = undash(z) A undash(t) e ac' 

P[s, z /ina- 0 k, outa- ok '} 

A 

OVjtCX—ok r \ 


{Equality of records} 


3 t, s • s.a<) = undash(z) .Xq A ... A s.a; n = undash(z).x n 


undash(t) e ac' 


E[s, Z/ %TlOl—oki OUtOl—ok' 


{Property of undash} 


<2[s, t /inot— 0 ki outQt— 0 k' 


3t, s • s.xq = z.x'n A ... A s.a; n = 


undash(t) e ac' 


P[s, z/ onto.— 0 k' 


{Introduce fresh vector of variables 5:} 


= 3 z, 5; 


t/ %nOl—oki OUtOl— ok' 


3t, s • s.^o = A^) = z.^q A ... A s.a; n = x n A x n = z.x' n 


undash(t) e ac' 


{Equality of records} 
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= 3 z,x 


I p M inoi-Qk, onto/,—ok'\ 

A 

/ <3M/ ina-ok, outot— ok'\ ^ 

A 

S = {Xo Xo, . . . , X n ^ X n } 

A 

Z = {^o H- Xo, ■ ■ ■, x' n 5; n } 

A 

\ undash(t) G ac' 




3 t, s 


) 


= 3z,i 


{Expand substitutions} 

\ 


3 t, s 




) 


/ 


= 3 5; 


= 3 5; 


( p [ s, z.Xq, z.x'J ina-ok, x' 0 ,..., x' n ] 

A 

( Ql'S.X o, • • • ; S.X n , t/xo, • • • ; X n , ^ 

A 

s = {xo I-A 5b,..., x n HA 5; n } 

A 

z = {x' 0 f-A 5; 0 ,..., x’ n ha x n } 

A 

y undash(t) G ac' 

{One-point rule} 

/P[s,z.x',...,,. x'J ina-ok, x'q,..,, x' n ] [{xq i-A xq, ..., x' n i-A x ra }/z] 

A 

/ <3[s.xo,..., s.x n , t/x 0 , ...,Xn, outa- 0 k'][{xo H- 5b, • • •, X n HA 5; n }/s^ 
A 

\ undash(t) G ac' 

{Substitution and value of record components} 

( PI s,xo,..., x'J ina- ok , x' 0 ,..., x' n ] \ 

A 

^ Q[5o; iii) Xn, t/2<)) • • • ) 0; n , CUtCT—o/j'] ^ 

A 

\ undash(t) G ac' 


3* 


3* 


/ 


/ 


{Vector of variables 5;} 


{ PI s, x/ina- 0 k, x’} 


= 3 5; 




A 


\ 3 t • Q[x,t/x, outa- 0 k>} A undash(t) G ac' ) 


{Property of substitution} 
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APPENDIX G. REACTIVE ANGELIC DESIGNS (RAD) 


= 3 x 


= 3 t • 3 x 


( P[x/x'][s/ina_ ok ] \ 

A 

\ 3 t • Q[x/x\[t/ outa-oj.'] A undash(t) E ad ) 

( P[x/x'][s/ina- ok ] \ 

A A undash(t) E ad 


\ Q[x/x][t/outa_ ok >] ) 


{Predicate calculus} 


{Property of substitution} 

— 3t • (3£« P[x/x'] A <5[x/x])[s,t/^Q!_ 0J t, outat- 0 k'\ A undash(t) E ad 

{Definition of sequential composition assuming ok' ^ fv(P) and ok ^ /?;(())} 

= 3 t • (P ; Q)[s,t/mo!_ ofc , A undash(t) E ad {Definition of p2ac} 

= p2ac(P ; <5) 


□ 

Lemma L.G.7.8 p2ac(P)[{z}/ac'] A z E ad = p2ac(P)[{z} fl ad/ad] A z E ad 


Proof. 


p2ac(P)[{z} D ad/ad] A z E ad {Lemma IL. 4.6. 11} 

= (PBMH o p2ac(P))[{z} fl ad/ad] A z E ad 

{Definition of PBMH (Lemma |L.4.2. 3} 

= (3 ac 0 • p2ac(P)[ac 0 /ad] A ac 0 C ad)[{z} fl ad/ad] A z E ad {Substitution} 

= 3 ac 0 • p2ac(P)[ac 0 /ad] A ac 0 C ({z} fl ad) A z E ad {Property of sets} 

= 3 aco • p2ac(P)[aco/ad] A aco C {z} A aco C ad A z E ad {Property of sets} 

= 3 aco • p2ac(P)[aco/ad] A aco C {z} A z E ad {Substitution} 

= (3 aco • p2ac(P)[aco/ac] A aco C ad)[{z} / ad] A z E ad 


{Definition of PBMH (Lemma L.4.2.1)} 
= (PBMH o p2ac(P))[{z}/ad] A z E ad {Lemma lL. 4.6.11} 

= p2ac(P)[{z}/ad] A z E ad 


m 


G.7.4 p2 ac and ac2p 


Theorem T.5.3.5 ac2p o p2ac(P) = P 
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Proof. 

ac2p o p2ac(P) {Definition of ac2p} 

= (PBMH o p2ac(P)) [State jj (ina_ 0 k)/s] ] A f\ x '• outa._M • dash{s).x = x 

{Lemma IL.4.6.11} 

= p2ac(P)[Statejj;(ina- 0 k)/s] ] A x : outa- 0 k' • dash(s).x = x 

{Definition of p2ac} 

( (3 z • P[s,z/ina- 0 k, outa- 0 k'} A undash(z) E ac') [State jj (ina- 0 k )/s] ^ 

f\ x : outa- 0 k' • dash(s).x = x ) 

{Substitution} 

/ (3 z • P[s,z/ inot_ 0 ki outa.- 0 k'][Stateji(inoi_ 0 k) /s] A undash(z) E ac') \ 

iA 

\ f\x : outa- 0 k' • dash(s).x = x ) 

{Lemma IL.D.l.lOl } 

= (3 z • P[z/outa-ok') A undash(z) E ac') \ A /\ x : outa.- 0 k’ • dash{s).x = x 

{Definition of \ A and substitution} 

= 3 z • P[z/outa- 0 k'] A undash(z) E {s | /\x : outa- 0 k’ • dash(s).x = x} 

{Property of sets} 

= 3 z • P[z/outa_ 0 k'\ A x : outa_ 0 k' • dash(undash(z)).x = x 

{Property of dash and undash} 
= 3 z • P[z/outa_ 0 k'] A x : outa_ 0 k’ • z.x = x {Lemma IL.D.1.91} 

= P[z/outa- 0 k'][Statejx (outa- 0 k')/z\ {Lemma IL.D. 1.101 } 

= P 


B 


Theorem T.5.3.6 Provided P is PBMH -healthy, p2ac o ac2p(P) □ P. 


Proof. 


p2ac o ac2p(P) 

= 3 aco, y • P[aco/ ac] A aco C {y} A y E ac' 

= 3 aco, y • P[aco/ ac) A aco C {y} A {y} C ac' 

=$■ 3 aco • P[aco/ac / ] A aco C ad {Definition of PBMH (Lemma L.4.2.1)} 


{Lemma IL.5.3.11} 
{Property of sets} 
{Predicate calculus} 
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APPENDIX G. REACTIVE ANGELIC DESIGNS (RADj 


= PBMH(P) {Assumption: P is PBMH-healthy} 

= P 


□ 


Theorem T.G.7.13 p2ac o ac2p(P) □ PBMH(P) 


Proof. 


p2ac o ac2p(P) 

= 3 aco, y • P[aco/ac 7 ] A aco C {y} A 
= 3 aco, y • P[aco/ac'] A aco C {y} A 
3 aco • P[aco/ac 7 ] A aco C ac 7 

= PBMH(P) 


y G ac 
M C ac 7 


{Lemma IL.5.3.11} 
{Property of sets} 
{Predicate calculus} 


{Definition of PBMH (Lemma |L.4.2. 3} 


□ 


Theorem T.G.7.14 

p2ac(ac2p(P) ; ac2p(Q )) = (3 ac' • P A ac' C {s 7 }) / p2ac o ac2p(Q ) 


Proof. 


{Lemma IL.G.7.61} 
\ 


p2ac(ac2p{P) ; ac2p(Q )) 

/ (3 ac 7 • P[Stateji (ina_ 0 jf) /s] A ac 7 C {s 7 }) 

= ac2p ; 

\ (3 ac' • Q A ac' {z \ /\ x \ outa-ow • dash(z).x = x}) ) 

{Lemma IL.C.5.18] } 

/ (3 ac' • P [State jp (ina - ok)/s] A ac' C {s 7 })[s/ma_ 0 jfc] \ 


/ 3 z • (3 ac 7 • A ac 7 C {z | /\ x : outa_ 0 k> • dash(z).x = x})[z/outa_ 0 v] \ 
A 

\ undash(z) G ac 7 / 

{Change variable name} 
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/ (3 ac' • P[Statejj; (ina_ 0 k)/ s\ A ac' C {s'})[s/ma_ 


ok I 




/ 3 z • (3 ac' • Q A ac' C {?/ | f\ x : outa- 0 k> * dash(y).x = x})[z/outa.- 0 k'} \ 
A 

\ \ undash(z) G ac' / 

{Substitution} 

/ (3 ac'• F[5'tatejj(ma_ 0 fc)/s][s/ma_ 0 fc] A ac' C {s'}) \ 


/ 3 2 • (3 ac' • Q A ac' C {?/ | /\ x : outa_ 0 k' • dash(y).x = z.x}) \ 


A 


\ undash(z) G ac' 

/ (3 ac' • F A ac' C {s'}) 


/ 




{Lemma iL.D.l.lll } 


3 z • (3 ac' • Q A ac' C {y \ f\ x : outa_ 0 k' • dash(y).x = z.x}) \ 


A 


\ \ undash(z) G ac' 

/ (3 ac' • P A ac' C {s'}) 


/ 


/ 


{Introduce fresh variable t} 

\ 


/ 3 t • (3 ac' • Q A ac' C {?/ ] f\ x : outa_ 0 k’ • dash(y).x = z.x}) \ 


A 


\ t — undash(z) A t £ ac' 
( (3 ac' • P A ac' C {s'}) 


/ 




{Property of dash} 

\ 


f 3 z, t • (3 ac' • Q A ac' C {y \ f\x : outa_ 0 k' • dash(y).x = z.x}) \ 


A 


\ dash(t) = z A t G ac' 
( (3 ac' • P A ac' C {s'}) 


/ 


/ 


{One-point rule} 
\ 


/ 3 t • (3 ac' • Q A ac' C {y \ f\ x : outa^ 0 k' • dash(y).x = dash(t).x}) \ 

A 

\ t G ac' J J 

{Property of dash and equality of records} 
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APPENDIX G. REACTIVE ANGELIC DESIGNS (RAD) 


( (3 ac! • P A ad C {s'}) 


\ 


{Property of records} 


\ (3 t • (3 ad • Q A ad C {y \ y — t}) A t e ac') / 

( (3 ad • P A ac' C {s'}) ^ 

; {Introduce fresh variable aco} 

^ (3 t • (3 ad • Q A ad C {t}) A t e ad) ) 

( (3 ad • P A ad C {s'}) 




\ (3 t • (3 aco • Qfaco/ac'] A aco C {t}) Ate ac') / 


/ (3 ad • P A ad C {s'}) 




{Predicate calculus} 


{Lemma IL.5.3.11} 


\ (3 t, aco • Q[aco/ac'] A aco C {t} Ate ac') / 
= (3 ad • P A ac' C {s'}) ; p2ac o ac2p(Q ) 


□ 


Theorem T.G.7.15 Provided Q is PBMH -healthy and s' is not free in P, 
p2ac(ac2p(P) ; ac2p(Q )) =» PBMH(P) ; x , ac Q 


Proof. 

p2ac(ac2p(P ) ; ac2p{Q )) {Theorem IT. CL7. 141 } 

= (3 ad • P A ac' C {s'}) ; p2ac o ac2p(Q ) 

{Assumption: <5 is PBMH-healthy and Theorem |T.5.3.6| | 

=> (3 ad • P A ac' C {s'}) ; Q {Definition of sequential composition} 

= 3 so, oko • (3 ad • P A ad C {s'})[oA:o, so/ok', s'] A <5[ofco, so/ ok, s] 

{Substitution} 

= 3 so, o/u’o • (3 ad • P[oko/ok'] A ac' C {so}) A Q[o/so/oA:][so/s] 

{Introduce fresh variable aco} 

= 3 so, oko, oco • P[oko/ok'][aco/ad] A aco C {so} A Q[oko/ok][so/s] 

{Property of sets} 

= 3 so, oko, oco • P[oko/ok'][aco/ad] A aco C {so} A so e {s | Q[oko/ok]} 

{Property of sets} 

= 3 so, oko, oco • P[oko/ok'][aco/ad] A aco C {so} A {so} C {s | Q[oko/ok]} 

{Property of sets and predicate calculus} 
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=> 3 ok 0 , ac 0 • P[ok 0 /ok'][ac 0 /ac'] A ac 0 C {s | Q[ok 0 /ok]} {Substitution} 

= 3 oho, ac 0 • (P[oko/ok'][ac 0 /ac'] A ac 0 C ac')[{s \ Q[ok 0 / ok]} / ac'] 

{Predicate calculus} 

= 3 oho • (3 ac 0 • P[ok 0 /ok'][ac 0 /ac'] A ac 0 C ac / )[{s | Q[oko/ok]} / ad] 

{Lemma IL. 4.2.11} 

= 3 ok 0 • (PBMH(P[oio/ot']))[{s | Q[ok 0 /ok]}/ac'] {Definition of ’, A } 

= 3 ok 0 • (PBMH(P[o^o/o^])) \ A Q[oko/ok] {Lemma IL.E.5.11} 

= 3 ok 0 • (PBMHfFjfofco/ofc']) \ A Q[oko/ok] {Definition of ' lT)ac } 

= PBMH(P) ; Vac Q 

□ 

Lemma L.G.7.9 Provided P and Q are PBMH -healthy, s' is not free in P, ok' 
is not free in P and ok is not free in Q, 

p2ac(ac2p(P) ; ac2p(Q)) =>• P ; A Q 


Proof. 


p2ac(ac2p(P) ; ac2p(Q)) 
=► PBMH(P) q 


{Theorem IT. G. 7.151 } 
{Assumption: P is PBMH-healthy} 


= P\ 


iT>ac 


Q 


{Assumption: ok' fv(P), ok f fv(Q ) and Lemma L.C.4.4} 


= P\aQ 


□ 

Lemma L.G.7.10 Provided P and Q are PBMH -healthy, s' is not free in P, ok' 
is not free in P. 

p2ac(ac2p(P) / ac2p(Q )) =>- P ; A (3 ok • Q) 


Proof. 

p2ac(ac2p(P ) ; ac2p(Q )) {Theorem IT. G.7. 151 } 

=>• PBMH(P) ; Vac Q {Lemma OUT} 

=>• PBMH(P) \ A (3 ok • Q) {Assumption: P is PBMH-healthy} 

= P u (3 ° k • Q) 
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□ 


Results with respect to A2 

Theorem T.5.3.7 Provided Pj and Pj are A2 -healthy, 

p2ac o ac2p o RA o A(-> Pj b Pj) = RA o A(-> Pj b Pj) 


Proof. 


p2ac o ac2p o RA o A(-> Pj b Pj) (Theorem IT. 5.3. 21 } 

= p2ac o R(-i ac2p(Pj) b ac2p(Pj)) (Theorem IT .G.7. 51 } 

= RA(-< p2ac o ac2p(Pj) b p2ac o ac2p(Pj)) (Definition of RA} 

= RA3 o RA2 o RAl(-i p2ac o ac2p(Pj) b p2ac o ac2p(Pj)) 

(Lemma IL.G.1.181 } 

f -n (p2ac o ac2p(Pj) A ac! 7 ^ 0) \ 


= RA3o RA2o RA1 


b 


\ p2ac o ac2p(Pj) A ac' 7 ^ 




{Assumption: Pj and Pj are A2-healthy} 


= RA3o RA2o RA1 


/ - 1 / 

( -n (p2ac o ac2p o A2 (Pj) A ac' 7 ^ 0) \ 
b 

\ p2ac o ac2p o A2(Pj) A ac' ± 


l (A2(Pf) A ac' ^ 0) \ 


= RA3o RA2o RA1 


= RA3o RA2o RA1 


b 


7 

(Lemma IL.C. 1.291 } 
(Lemma IL.C.1.261 } 


7 


\ A2(Pj) A ac' ^ 0 

/ (PBMH o A2(Pj) A ac' ^ 0) \ 
b 


\ PBMH o A2(Pj) A ac' ^ 


7 


(Assumption: Pj and Pj are A2-healthy} 


/ (PBMH(P() A ac' 7 ^ 0) \ 


= RA3o RA2o RA1 


b 


\ PBMH(P}) A ac' ^ 


= RA3 o RA2 o RAl(-i PBMH(P/) b PBMH (Pj)) 
= RA3 o RA2 o RA1 o Al(-> P f f b Pj) 

= RA3 o RA2 o RA1 o AO o Al(-. P f f b Pj) 


(Lemma IL.G.1.181 } 

(Definition of Al} 
(Theorem IT. 5.2.11} 
(Definition of RA} 
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= RA o AO o Al(-< Pj h Pj) {Definition of A} 

= RA o A(-. P f f h Pj) 


□ 


Lemma L.G.7.11 Provided P is A2 -healthy, p2ac o ac2p(P) = P A ac! 0 
Proof. 


p2ac o ac2p(P) 

= p2ac o ac2p o A2(P) 
= A2(P) A acV 0 
= P A oc'V 0 


{Assumption: P is A2-healthy} 
{Lemma IL.C.1.291 } 
{Assumption: P is A2-healthy} 


□ 


Lemma L.G.7.12 Provided P is A2 -healthy, 
p2ac o ac2p(P)[{x} / ac'] = P[{x}/ac'] 


Proof. 

p2ac o ac2p(P)[{x}/ac / ] {Assumption: P is A2-healthy and Lemma [L.G.7.11 } 
= (P A ac' 7 ^ ®)[{x} / ac'] {Substitution} 

= P[{x}/ac'] A {x} 7 ^ 0 {Property of sets} 

= P[{x}/ac r ] 


□ 


G.7.5 Lifting 


Definition 122 (G 


Lemma L.G.7.13 


t'(P) = 3 y • ?/ e ac 1 A P[{ 2 /}/ac'] 
Provided ac' is not free in P, 


PBMH(dt(P)) = ©!,(/>) 


Proof. 

PBMHftgpP)) 


{Assumption and Lemma L.G.7.29} 
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PBMH(3 y • P A y E ac ') {Definition of PBMH (Lemma L.4.2.1 )} 

3 ac 0 • i/3y • P A y E ac')[ac 0 /ac'] A ac 0 C ac' 

{Assumption: ac' not free in P and substitution} 

3 ac 0 • [3y • P A y E ac 0 ) A ac 0 C ac' {Predicate calculus} 

3 ac 0 , y • P A y E ac 0 A ac 0 C ac' {Predicate calculus and property of sets} 
3 y • P A y E ac {Definition of (©f ac ,} 

©Dp) 


□ 


Lemma L.G.7.14 


RA1((DL'(^)) = ©L(RA1(P[{ ?/ } n ac'/ac']) A s.tr < y.tr) 

Proof. 

RAl(©» c ,(P)) 

= RA1(3?/ • P[{y} D ac'/ac'] Ay E ac') 

= 3y.RAl(P[{y} fl ac'/ac'] A y E ac) 

= 3 y • RA1(P[{?/} D ac'/ac']) A RAl(y E ac') 

= 3 ?/ • RA1(P[{?/} fl ac'/ac']) A s.tr < y.tr A y E ac' 

= ©L( RA1 ( P [(?/} n ac'/ac']) A s.tr < y.tr) 

□ 


{Definition of (©f ac ,} 
{Lemma I b. G. 1.1 21 } 
{Theorem IT. 5.2. 21} 
{Lemma IL.G.1.131 } 
{Definition of (e)^,,} 


Lemma L.G.7.15 Provided ac' is not free in P, 
RAl(©”„,(/>)) = ©l,( p A s - tr S V© 


Proof. 


RAl (© y ac ,(P)) {Lemma IL.G.7.141 } 

= (DL'(RAi( R [{?/} n ac'/ac']) A s.tr < y.tr) {Substitution: ac' not free in P} 

= ©L( RA1 ( p ) A s - tr < V - tr ) 


{Assumption: ac' is not free in P and Lemma L.G.1.19 } 
= ( f/f ac ,(P A RAl(frae) A s.tr < y.tr) {Lemma IL.G. 1.101 } 

= ( &f ac ,(P A (3 z • s.tr < z.tr A z E ac') A s.tr < y.tr) {Definition of (©f ac ,} 
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= 3 y • P A (3 z • s.tr < z.tr A z G ac ') A s.tr < y.tr A y G ac' 

{Predicate calculus} 

= (3 y • P A s.tr < y.tr A y G ac') A (3 z • s.tr < z.tr A z G ac') 

{Predicate calculus} 

= 3 y • P A s.tr < y.tr A y £ ac' {Definition of (e) 2/ ,} 

= (D^,(P As.tr < y.tr ) 


□ 


Lemma L.G.7.16 Provided ac' is not free in P, 
RA2(©» c ,(P)) 


3»«RA2(P) A©^(s .tr < z.tr A y = z © {tr z.tr — s.tr}) 


Proof. 


RA2((e) 2/ ,(P)) {Assumption: ac' is not free in P and Lemma L.G.7.29} 

= RA2(3 y • P A y G ac') {Lemma lL.G.7.191} 

= 3?/ • RA2(P A y G ac') {Theorem IT.5.2.61} 

= 3 y • RA2(P) A RA2(y G ac') {Lemma IL.G.7.17T } 

= 3 y • RA2(P) A (g) z ,(s.tr < z.tr A y — z © {tr z.tr — s.tr}) 


□ 


Lemma L.G.7.17 Provided x is not s, 

RA2(i G ac') = (G) z c ,(s.tr < z.tr Ai = z0 {tr z.tr — s.tr}) 


Proof. 

RA2(x G ac') {Definition of RA2} 

= (iG ac')[s © {tr G ()},{z | z G ac' A s.tr < z.tr • z © {tr i—> z.tr — s.tr}}/s, ac'] 

{Substitution: x is not s} 

= x G {z | z G ac' A s.tr < z.tr • z © {tr z.tr — s.tr}} {Property of sets} 

= 3 z • z G ac' A s.tr < z.tr A x = z © {tr t-A z.tr — s.tr} {Definition of (g) z ,} 
= (G) z ,(s.tr < z.tr Ai = zffi {tr i-A z.tr — s.tr}) 
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□ 


Lemma L.G.7.18 RA2 (x G ac') = x © {tr i—>■ s.tr ^ x.tr} G ad 


Proof. 


RA2(i G ad) (Definition of RA2 (Lemma L.G.2.1)} 

= (x G ad)[s © {tr i-G ()},{?/ | V © {tr i—>• s.tr ^ y.tr } G ad}/s , ad] 

{Substitution} 

= xe{y\ y © {tr H- s.tr ^ y.tr} G ad} (Property of sets} 

= x © {tr i—^ s.tr ^ x.tr} G ad 


□ 


Lemma L.G.7.19 Provided x is not in the set (s, ad}, 


RA2(3 x • P) — 3 x • RA2(P) 


Proof. 


RA2(3 x • P) (Definition of RA2} 

= (3x • -P) [5 © {tr i —y ()}, {z \ z G ad A s.tr < z.tr • z © {tr i—> z.tr — s.tr}} / s, ad] 

(Assumption: x is not ad nor s and predicate calculus} 

= 3 x • P[s © {tr H- ()}, {z \ z E ad A s.tr < z.tr • z ® {tr i—> z.tr — s.tr}}/s, ad] 

(Definition of RA2} 


= 3x • RA2(P) 


□ 


Lemma L.G.7.20 Provided ad is not free in P, 

RA1 o RA2 o PBMH(0* c ,(F)) 

(ef z ac ,(P[s © {tr i-G ()}/s][z © {tr i-G z.tr — s.tr}/y] A s.tr < z.tr ) 


Proof. 


RA1 o RA2 o PBMH(@ y ac ,(P)) 


(Assumption: ad is not free in P and Lemma L.G.7.13]- 
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= RA1 o RA2((|)J c ,(P)) {Theorem IT. 5.2. 101 1 

= RA2 o RA1((g)^ c ,(P)) 


{Assumption: ac! is not free in P and Lemma L.G.7.15 [ 


= RA2((D» c ,(P A s.tr < y.tr )) {Lemma IL.G.7.16~1 } 

= 3y RA2 (P A s.tr < y.tr ) A (e)* ,(s.tr < z.tr A y = z © {tr H* z.tr — s.tr}) 

{Theorem IT. 5.2. 61} 

= 3 y RA2(P) A RA2(s .tr < y.tr ) A (e)* c ,(s.tr < z.tr A y = z © {tr H y z.tr — s.tr}) 

{Definition of RA2 and substitution} 

= 3 y RA2(P) A () < y.tr A (e)~ c ,(s.tr < z.tr A y = z © {tr i-A z.tr — s.tr}) 

{Property of sequences} 

= 3 y • RA2(P) A (^f ac ,(s.tr < z.tr A y = z © {tr i-A z.tr — s.tr}) 

{Assumption: ac' is not free in P and Lemma [L .G. 7.21 } 

= 3 y • P[s © {tr t—)■ ()}/s] A (e ~) z d {s.tr < z.tr A y = z (B {tr i-A z.tr — s.tr}) 

{Definition of (e)“ c ,} 

= 3 y • P[s © {tr t—)■ ()}/s] A (3 z • s.tr < z.tr A y = z © {tr i-A z.tr — s.tr} A z G ac') 

{Predicate calculus} 

= 3 y,z • P[s © {tr t—)■ ()}/s] A s.tr < z.tr A y = z@ {tr h -> z.tr — s.tr} A z G ac' 

{One-point rule} 


= 3 z • P[s © {tr i—>• ()}/s][z © {tr t—)■ z.tr — s.tr}/y] A s.tr < z.tr A z £ ac' 

{Definition of (e)“ c ,} 

= (e)^,(P[sffi {tr i-A ()}/s][zffi {tr i-A z.tr — s.tr}/y\ A s.tr < z.tr) 


□ 


Lemma L.G.7.21 Provided ac' is not free in P, 
RA2 (P) = P[s © {tr i->- ()}/s] 


Proof. 

RA2(P) {Definition of RA2} 




z G ac' A s.tr < z.tr 

l / ,1 

s © {tr i y ()}, < 

l 2 

• z®{tr^ z.tr- s.tr} ^ 

> / s, ac 


{Assumption: ac' is not free in P} 


P[s © {tr i-» ()}/s] 
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□ 


Lemma L.G.7.22 

RA1 o RA2 o PBMH((?)^ ( ( 2 /.fr = s.tr A a ^ y.ref A y.wait)) 
(&) y ,(y.tr = s.tr A a y.ref A y.wait) 


Proof. 

RA1 o RA2 o PBMH((G)^ c ,(y.tr = s.tr A a ^ y.ref A y.wait )) 


= <K> / 


= e 


/ y.tr = s.tr \ 
A 

a ^ y.re/ 

A 

\ y.wait ) 


{Lemma IL.G.7.201 } 

\ 


[s © {tr i ^ ()}/s][z © {tr i ^ z.tr — s.tr}/?/] 


A 

\ s.tr < z.tr 

( V-tr = () \ 
A 

a </ 2 /. re/ 

A 

\ y.wait ) 
A 


{Substitution and value of record component tr} 

\ 


[.z © {tr i->- z.tr — s.tr}/y] 


\ s.tr < z.tr ) 

{Substitution and value of record component tr} 

= (E)~ ,(z.tr — s.tr — () A a ^ z.ref A z.wait A s.tr < z.tr) 


{Property of sequences} 

= (e) z , (z.tr = s.tr A a 2 :.re/ A z.wait A s.tr < z.tr) {Predicate calculus} 

= (§f ,{z.tr = s.tr A a £ z.ref A z.wait) {Variable renaming} 

= (e y ,(y.tr = s.tr A a £ y.ref A y.wait) 
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□ 


Lemma L.G.7.23 


RA1 o RA2 o PBMH((e/ ,{y.tr = s.tr ^ (a) A-> y.wait )) 


© V ac ,(y-tr = s.tr ~ (a) A y.wait) 


Proof. 

RA1 o RA2 o PBMH((e)^,(j/.fr = s.tr ^ (a) A -> y.wait )) {Lemma IL.G. 7.201 } 

/ / y.tr = s.tr ^ (a) \ \ 


= e 


A 


y.wait 


[s © {tr i-> ()}/s][z © {tr \-A z.tr — s.tr}/y\ 




A 


/ 


= G 




\ s.tr < z.tr 

{Substitution and value of record component tr} 

( y.tr — () ^ (a) A -> y.wait)[z © {tr H > z.tr — s.tr}/y] \ 

A 

s.tr < z.tr 

{Property of sequences} 

/ ( y.tr = (a) A -i y.wait)[z © {tr i-A z.tr — s.tr}/y] ^ 

A 

^at 

\ s.tr < z.tr 

{Substitution and value of record component tr} 
= (g)“ ,(z.tr — s.tr = (a) A -> z.wait A s.tr < z.tr ) {Property of sequences} 

= (&f ,(z.tr = s.tr ^ (a) A -> z.wait A s.tr < z.tr) 

{Property of sequences and predicate calculus} 

= (e) z ,(z.tr = s.tr ^ (a) A -> z.wait) {Variable renaming} 

= (D lr'(y- tr = s.tr ^ (a) A y.wait) 


= e 


/ 


El- 


Lemma L.G.7.24 

RA1 o RA2 o PBMH(@^(s.fr ~ (a) < y.tr)) 
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(DL( s - tr ~ <°) < y - tr ) 


Proof. 


RA1 o RA2 o PBMH((e)^,(s.fr ~ (a) < y.tr )) ili-imna El i 

f ( s.tr ^ (a) < y.tr)[s © {tr i->- ()}/s][z © {tr i->- z.tr — s.tr}/y\ \ 


= e 


A 


7 


\ s.tr < z.tr 

{Substitution and value of record component tr} 
( (() ^ (a) < y.tr)[z © {tr (->• z.tr — s.tr}/y\ \ 


= e 


A 


7 


\ s.tr < z.tr 

{Substitution and value of record component tr} 
= (G)“ ,(() ^ (a) < z.tr — s.tr A s.tr < z.tr ) {Property of sequences} 

= © z ,((a) < z.tr — s.tr A s.tr < z.tr ) {Property of sequences} 

= (e)~ c ,(s.ir ^ (a) < z.tr A s.tr < z.tr) 

{Property of sequences and predicate calculus} 

= (e)“ ,(s.£r ^ (a) < z.tr ) {Variable renaming} 

= (DL'( s - tr ^ (°> < y- tr ) 


□ 


Lemma L.G.7.25 ©^(P V (?) = ©^,(P) V ©^(Q) 


Proof. 


© V aA P V <?) {Definition of ©J^} 

= 3 y • (P V <J)[{y} D ac'/ac'] A y € ac' {Substitution} 

= 3 y • (P[{y} D ac'/ac'] V <5[{y} D ac'/ac']) A y £ ac' {Predicate calculus} 

= (3 ?/ • P[{y} n ac /ac'] A y € ac 7 ) V (3 y • <5[{y} H ac Vac'] Aye ac 7 ) 

{Definition of (e)^,} 


= ©L(-p)v©L(« 


n 








G.7. RELATIONSHIP WITH CSP 


615 


Lemma L.G.7.26 


RAl o RA2 o PBMH 

/ 

(?f / 

/ (y.tr = s.tr A a f: y.ref) \ 
< y.wait > 

\ 


V 

y (y.tr = s.tr ^ (a)) ) 

) 


( 

©L 

/ (y.tr = s.tr A a fi y.ref) \ 
<y.wait> 

\ 

V 

y (y.tr = s.tr ^ (a)) ) 

) 


Proof. 


RA1 o RA2 o PBMH 


(?) y , 

v —?ac' 


= RAl o RA2 o PBMH 


(?) y , 

V_yac' 


/ / ( y.tr = s.tr A a ^ y.ref) \ \ 

<y.wait> 

\ (y.tr = s.tr ~ (a)) // 

{Definition of conditional} 

/ ( y.tr = s.tr A a ^ t/.re/ A y.wait ) \ \ 

V 

\ ( y.tr = s.tr ^ (a) A -> y.wait ) / ) 

{Lemma IL.G. 7.251 } 

/ ( ,(y.tr = s.tr A a ^ y.re/ A y.wait ) \ 

V 

\ ©1 ,(y-tr = s.tr ~ (a) A -1 y.wait ) / 

{Theorems |T.E.2.2| |T.5.2.3| and |T.5.2.7|| 

/ RAl o RA2 o PBMH(0^(j/ .tr = s.tr A a y.ref A y.wait )) \ 

V 

^ RAl o RA2 o PBMH((e)^,(t/.tr = s.tr ^ (a) A -i y.wait )) / 

{Lemmas IL.G.7.221 and IL.G.7.231 } 

( ,(y.tr = s.tr A a ^ ?/.re/ A y.wait ) \ 


= RAl o RA2 o PBMH 


= I V 

£) v ac ,(y-tr = s.tr ^ (a) A -i y.wait ) / 

/ (y.tr = s.tr A a y.ref A y.wait) \ 
= ©" , V 

NSac' 

\ (y.tr = s.tr ^ (a) A -i y.wait) J 


{Lemma IL.G. 7.251 } 


{Definition of conditional} 





































616 


APPENDIX G. REACTIVE ANGELIC DESIGNS (RADj 


= e 


ad 


( ( y.tr = s.tr A a ^ y. ref ) \ 
<y.wait> 

\ ( y.tr = s.tr ^ (a)) ) 


□ 


Lemma L.G.7.27 Provided ad is not free in P, 

(D1'( P ) m Q = 3 V * P A Q[y/s\ 


Proof. 


© :a p) u q 

= (3y • P Ay e ad) ; A 
= (3 y»P Aye ac')[{s 

= 3yPAye{s\ <5} 
= 3 y • P A <2[?//s] 


{Lemma IL.G.7.291 } 

Q {Definition of 5^} 

I <5}/«c'] 

{Assumption: ad is not free in P and substitution} 

{Property of sets} 


□ 


Lemma L.G.7.28 Provided P is PBMH -healthy, 
(ef ac ,(P) = 3 y P[{y}/ad] Aye ad 


Proof. 


© a A P ) {Definition of (D ac ,} 

= 3 y • P[{y} D ad/ad] A y e ad {Assumption: P is PBMH-healthy} 

= 3 y (PBMH(P))[{?/} n ad/ad] A y e ad 

{Definition of PBMH (Lemma |L. 4.2. 3» 

= 3y • (3 aco • P[aco/ac'] A aco C ac')[{y} D ad/ad] A y e ad {Substitution} 
= 3 y • (3 aco • P[aco/ac'] A aco C {y} D ad) A y e ad {Property of sets} 

= 3 y • (3 aco • P[aco/ac'] A aco C ad A aco C {?/}) A y e ad 

{Predicate calculus} 

= 3 y, aco • P[aco/ac'] A aco C ad A aco C {y} Aye ad 

{Property of sets and predicate calculus} 
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= 3 y, ac 0 • P[ac 0 /ac'] A ac 0 C { y } A y E ac' {Predicate calculus} 

= 3 y • (3 ac 0 • P[ac 0 /ac'] A ac 0 C {y}) A y £ ac' {Substitution} 

= 3 y • (3 ac 0 • P[ac 0 /ac'] A ac 0 C ac')[{?/}/ac'] A y E ac' 

{Definition of PBMH (Lemma L.4.2.1)} 

= 3 j/ • PBMH(P)[{i/}/ac'] A y E ac' {Assumption: P is PBMH-healthy} 

= 3?/ • P[{f/}/ ac'] A y E ad 


□ 

Lemma L.G.7.29 Provided ac! is not free in P, (E) y ,(P) = 3y»PAyEac' 
Proof. 

(DL ( P ) {Definition of } 

= 3 ?/ • P[{?/} D ac'/ac’] A y E ac' {Assumption: ac' is not free in P} 

= 3y»PAyEac' 


□ 


Lemma L.G.7.30 ©* ,(P V Q) = ©” (P) V ©"(<?) 


Proof. 


©L'( P V *5) {Definition of (e)^,} 

= (3 y • (P V <5)[{s/} fl ac' / ac'] Ay E ac') {Substitution} 

= (3 y • (P[{f/} H ac' / ac'] V $[{?/} H ac' / ac']) A y E ac) {Predicate calculus} 

= 3 y • ( P[{y} D ac' / ac'] Ay E ac') V (Q[{y} fl ac' / ac'] Ay E ac') 

{Predicate calculus} 

= 3 y • ( P[{y} H ac'/ac'] Ay E ac') V 3 y • (Q[{y} fl ac'/ac'] Ay E ac') 

{Definition of (E) V ac , } 

= ©L(-p)v©L(<?) 


□ 


Lemma L.G.7.31 


(E) V ac ,(P < c 0 A ... A c n > Q) 
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DL(c 0 A ... A c n A P) V ©!!.(-. Co A Q) V ... V (§)"(-■ c n A Q) 


Proof. 

© V ac ,(P<c 0 A ... A c n > Q) 

( {cq A ... A c n A P) \ 


= € 


= 


v 


{Definition of conditional} 
{Predicate calculus} 


\ (- 1 (co A ... A c„) A <5) / 
/ (c 0 A ... A c n A P) 


\ 


V 


{Predicate calculus} 

V ((-> Co v ... V -1 c n ) A Q) ) 

= (DL ( (c 0 A ... A c n A P) V (-. Co A Q) V ... V (-. c n A Q) ) 

{Lemma IL.G.7.301 } 

= (DL'( c o A ... A c n A P) V dX c ,(-. Co A Q) V ... V c n A Q) 

□ 


Lemma L.G.7.32 Provided s.tr < z.tr, 


( s.tr = y.tr A y.wait)[s © {tr i —> ()}/s][?/ © {tr i—)■ y.tr — s.tr}/y] 


( s.tr = y.tr A y.wait ) 


Proof. 

( s.tr = y.tr A y.wait)[s © {tr H- ()}/s][?/ © {tr H > y.tr — s.tr}/y] {Substitution} 
= s © {tr (-)■ ()}.tr = y © {tr i—> y.tr — s.tr}.tr Ay © {tr i —> y.tr — s.tr}.wait 

{Property of © and value of component tr} 

= () = y.tr — s.tr A y.wait {Assumption and property of sequences} 

= s.tr = y.tr A y.wait 


□ 


Lemma L.G.7.33 Provided s.tr < y.tr, 


( s.tr 7 ^ y.tr)[s © {tr i —> ()}/s][y © {tr i —> y.tr — s.tr}/y] 
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( s.tr ^ y.tr ) 


Proof. 

( s.tr ^ y.tr)[s © {tr (->• ()}/s][?/ © {tr (->• y.tr — s.tr}/y] {Substitution} 

= (s © {tr (->■ ()}).tr 7^ (y IB {tr ^ y.tr — s.tr}).tr 

{Property of © and value of component tr} 

— () 7^ y.tr — s.tr {Assumption and property of sequences} 

= s.tr ^ y.tr 


□ 


Lemma L.G.7.34 Provided x is not tr, 

( y.x)[s © {tr K> ()}/s][?/ ffi {tr i—^ y.tr — s.tr}/y] 

( y-x) 


Proof. 


(?/.a;)[s© {tr (->• ()}/s][?/ffi {tr (->• y.tr — s.tr}/y\ {Substitution} 

= (y © {tr (->• y.tr — s.tr}).x 

{Assumption, property of © and value of component x} 


= y.x 


□ 


Lemma L.G.7.35 Provided: 

• P and Q are PBMH -healthy 

• For 0 < i < n: ac' is not free in Ci 

• (co A ... A c n )[s®{tr ^ ()}/s][y ffi {tr i->- y.tr - s.tr}/y\ = (co A ... A c n ), 
assuming s.tr < y.tr 

• For 0 < i < n: (-< c*)[s ffi {tr i-> ()}/s][?/ ffi {tr i-> y.tr — s.tr}/y\ = -> Ci, 
assuming s.tr < y.tr 

(ef ac ,(RA2 o RA1(P) <1 c 0 A ... A c n > RA2 o RA1(Q)) 
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RA2((f? (P < (c 0 A ... A c n ) > Q)) 


Proof. 


E) y ,(RA2 o RA1(P) < c 0 A ... A c n > RA2 o RAl(Q)) 


/ (RA2 o RA1(P) A (cq A ... A c n )) \ 


(e) v , 


v 


(RA2 o RA1(<5) A “i Cq) 


V 

y (RA2 o RA1(<5) A “i Cn) 

( ©L '( RA2 ° RA1 (P) A (c 0 A . 
V 

(DL'(RA2 oRAl(Q)An Co) 


A Cn)) \ 


V 

V (DL '( RA2 ° RA W) A - Cn) 

( RA2(©; c ,(PA(c 0 A...Ac n ))) \ 

V 

RA 2 (©" (QA-cb)) 


{Definition of conditional} 


{Lemma IL.G.7.301 } 


{Assumption and Lemma L.G.2.13[ 


{Theorem IT. 5.2. 71} 
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/ ©L( P A (co A ... A c n )) \ 
V 

© l'(<2 A "■ c o ) 


= RA2 


V 

V(DL© a -© 

/ / (P A (c 0 A . 

V 

(<5 A -I c 0 ) 


= RA2 


V 


/ 

A Cn)) \ \ 


V 


\ (<5 A -i c n ) 

RA2 ((D" (P < (c 0 A . . . A Cn) > Q)) 


{Lemma lL.CL7.30l } 


{Definition of conditional} 


□ 


Lemma L.G.7.36 Provided that P and Q are PBMH -healthy, 

(e) y ac , (RA2 o RA1(P) < ytr = s.tr A y.wait > RA2 o RA1(<5)) 


RA2(dt,(P<l ytr = s.tr A y.wait > Q)) 

Proof. 

(g)^ c ,(RA2 o RA1(P) < ytr = s.tr A y.wait t> RA2 o RA1(Q)) 

{Assumption: P and Q are PBMH-healthy} 

{Lemmas IL.G. 7.321 to IL.G. 7.351 } 

= RA2 (ej y ac ,(P <3 ytr = s.tr A y.wait > <5) 

□ 

Lemma L.G.7.37 ©” C ,(P A ©^(Q)) = (efJP A <?[y/*]) 


{Definition of (&f ac ,} 


Proof. 

©L©A(D 2 ac ,(g)) 
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= 3 y • (P A (€f ac ,{Q ))[{?/} O ac'/ac'] A y E ad {Substitution} 

= 3 y • P[{y} n ac'/ac'] A (E)~ ac ,(Q)[{y} fl ac' / ac'] A y E ac' {Lemma IL.G.7.38] } 

= 3 y • -P[{2/} fl ac' / ac'] A < 5 [y/2] [{?/} D ac' / ac'] A y £ ac' A y £ ac' 

{Predicate calculus} 

= 3 ?/ • P[{?/} fl ac'/ac'] A Q[y/z][{y} fl ac'/ac'] A y & ac' {Substitution} 

= 3 y • (P A Q[y/z])[{y} fl ac'/ac'] A y & ac' {Definition of (g)^,} 

= (DL( jP A Q[y/A) 


□ 

Lemma L.G.7.38 ©} c /($)[{?/} 0 ac'/ac'] = Q[y/z][{y} fl ac'/ac'] A y E ac' 
Proof. 


©L (<?)[{?/} H ac'/ac'] 

— (3 z • Q[{z} fl ac'/ac'] A zG ac')[{y} fl ac'/ac] 
= 3 z • Q[{z} fl {y} fl ac'/ac'] A z G {y} fl ac 

= 3 z • Q[{z} fl {?/} fl ac'/ac'] AzG {?/} A z E ac' 

= 3 z • Q[{z} fl {?/} fl ac'/ac'] A z = y A z E ac' 

= Q[{z} fl {y} fl ac'/ac'][y/z] A y E ac' 

= Q[y/ Z \[{y} n {y} n ac'/ac'] Ay E ac' 

= Q[y/z][{y} fl ac'/ac] A y E ac' 


{Definition of (&f ac ,} 
{Substitution} 
{Property of sets} 
{Property of sets} 
{One-point rule} 
{Substitution} 
{Property of sets} 


□ 


Properties with respect to PBMH 

Lemma L.G.7.39 (g)^ c ,(PBMH(P) A Q) => PBMH(P) 

Proof. 


@; c ,(PBMH(P) A Q) {Definition of (g)^} 

= 3 y • (PBMH(P) A Q)[{y} D ac'/ac] A y E ac' {Substitution} 

= 3 y PBMH(P)[{|/} 0 ac'/ac'] A Q[{y} D ac'/ac'] A y E ac' 

{Predicate calculus} 


=*► 3y • PBMH(F)[{j/} fl ac'/ac'] A y E ac' 

{Definition of (E ) V ac , 


and Lemma 


L.G.7.28} 
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= 3 y • PBMH(P)[{i/}/flc'] A y G ad {Introduce fresh variable z} 

= 3 y,zm PBMH (P)[z/ ad] A z = {y} A y G ad {Property of sets} 

= 3 y,z • PBMH(P)[z/ ad] A z — {y} A y G ad A z <G ad {Predicate calculus} 
=>- 3 z • PBMH(P) [z/ad] A z G ad {Definition of PBMH (Lemma L.4.2.1)} 

= PBMH o PBMH(P) 

= PBMH(P) 


{Theorem IT. E.2.11} 


□ 


Lemma L.G.7.40 

PBMH(P) A @ c ,(((PBMH(F) A Q) V R) < c> T) 
PBMH(P) A (e)" c ,(/2 < O T) 


Proof. 


PBMH(P) A (?f ,(((PBMH(P) A Q) V R) < c> T) 


{Definition of conditional} 
/ (c A ((PBMH(P) A Q)V R )) \ 


= - PBMH(P) A ©L 


= - PBMH(P) A (e) y . 


V 


\ (-i c A T) 


/ (c A PBMH(P) A <5) \ 

V 

(c A i?) 

V 

\ (-i c a r) 


/ 


{Predicate calculus} 


{Lemma IL.G.7.301 } 
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= PBMH(P) A 


= PBMH(P) A 


{ ©lA cAPBMH ( p ) A Q) \ 

V 

©lA cAR ) 

V 

V(DL'(- cAT ) J 

(Lemma |L.G.7.39 and predicate calculus} 

f (©L,(c A PBMH(P) A Q) A PBMH(P)) \ 

V 

©LA a R) 


V 


V(DL(- c at) 


= PBMH(P) A 


/ (D lA cAR ) \ 

V 

\©L(- cA t)J 

= -n PBMH(P) A © y a A(c A i?) V (-1 c A T)) 
= PBMH(P) A (|) y ,(i2 < c> T) 


/ 

(Predicate calculus} 
(Lemma IL.G.7.301 } 
(Definition of conditional} 


□ 


Lemma L.G.7.41 

- PBMH(P) A ©lAQ < c > (PBMH(P) V R)) 
-1 PBMH(P) A (ef ac ,(Q < C> R) 


Proof. 


PBMH(P) A < c > (PBMH(P) V R)) 

( {c A Q) 

= -n PBMH(P) A (e) v , V 


(Definition of conditional} 


\ 


(Predicate calculus} 


V (-. c A (PBMH(P) V R)) / 
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= - PBMH(P) A (e) y . 


( (c A Q) 

V 

(-. c A PBMH(P)) 

V 




y (—i c A R) 

( (DL( c A $) 


{Lemma IL.G.7.301 } 


= PBMH(P) A 


\ 


V 

c A PBMH( J P)) 

V 

V (DL( _i c A 


{Lemma L.G.7.39 and predicate calculus} 

/(DLMQ) \ 


= PBMH(P) A 


V 


D" c A PBMH(F)) A PBMH(P)) 


V 


V ©L(- c A R) 


= PBMH(P) A 


/ (DL'( C A Q) \ 

V 

V ©L(- c A R) J 

= PBMH(P) A ©^((c A <5) V (-1 c A 7?)) 
= - PBMH(P) A © y ,(Q <c>R) 


{Predicate calculus} 
{Lemma IL.G.7.301 } 
{Definition of conditional} 


□ 


Properties with respect to ac2p 

Theorem T.G.7.16 Provided ac! is not free in P, Q and R, and y is not free in 
P nor Q, 

ae2p((G) v ac ,(p2ac(P) A p2ac{Q ) A R)) 

P A Q A R[undash(Statejj(outa^ 0 k'))/y][Statejj(ina^ 0 k)/s] 


Proof. 

ac2p((&) y ac ,(p2ac(P) A p2ac(Q ) A R)) 


{Lemmas IL.4.6.11 and IL.C.5.431 } 
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/ ac2p((p2ac(P ) A p2ac(Q))[{undash(Statejj(outa_ 0 k' ))}n ac'/ac']) \ 
A 

\ R[undash(Statejj(outa- 0 ki))/y][Statejj(ina- 0 k)/s] ) 


{Assumption: ac! is not free in P nor 0 and Lemma L.C.5.10} 
/ ac2p(p2ac(P A Q)[{undash(Statejj (outa-ow ))}n ac'/ac'}) \ 


A 


7 


\ R[undash{Statejj{outa_ 0 k')) / y\[State jj (ina_*)/s] 

{Lemma IL.C.S.lll } 

/ ac2p((P A t))[S'tatejj(mo:_ 0 fc)/s] A undash(Statepx(outa_ 0 k')) € ac') \ 

= A 

\ /?[nndas/i(S'tatejj(onto_ 0 A : /))/?/][S'tatejj(mQ:_ 0 fc)/s] / 

{Assumption: ac' is not free in P nor <5 and Lemma L.C.5.45} 

= P A Q A R[undash(State]j (outa- 0 k')) / y\[Statejj (ina- 0 k) / s\ 


□ 

Lemma L.G.7.42 Provided ac' is not free in P, Q and R, and y is not free in P 
nor Q, 

ac2p((ef acl (p2ac(P) A R)) 

P A R[undash{Statexj{outa- 0 k'))/y][Statejj(ina- 0 k)/s\ 


Proof. 


{Lemma IL.C.5.91} 
{Lemma IL.C.5.21} 


ac2p(© y ac ,(p2ac(P) A R)) 

= ac2p((^f ac ,(p2ac(P) A ac' 0 A R)) 

= ac2p((ef ac ,(p2ac(P) A p2ac(true ) A R)) 

{Assumption and Theorem T.G.7.16[ 

— P A true A R[undash(Statejj (outa- 0 k')) / y][Statejj (ina- 0 k) / s] 

{Predicate calculus} 

— P A R[undash(Statejj(outa-ok'))/y][Statepj(ina- 0 k)/s] 


□ 


Lemma L.G.7.43 Provided P is PBMTL-healthy, PBMH(@^,(P)) = © V ac ,( p ) 
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Proof. 


PBMH((e)* c ,(P)) {Assumption: P is PBMH-healthy and Lemma L.G.7.28 } 
= PBMH(3 y • P[{y}/ac'] A ye ac') 


{Definition of PBMH (Lemma L.4.2.1)} 
= 3 ac 0 • (3 y • P[{y}/ac') A y E ac')[ac 0 /ac'] A ac 0 C ac' {Substitution} 

= 3 ac 0 • (3 y • P[{y}/ac'] A y E ac 0 A ac 0 C ac') {Property of sets} 

= 3 y P[{y}/ac] A y E ac' 


{Assumption: P is PBMH-healthy and Lemma L.G.7.28} 


=dL(p) 


□ 


Lemma L.G.7.44 

RA2 ((ef ac ,{y.wait A y.tr = s.tr )) 

(&) y ,(y.wait A y.tr = s.tr ) 


Proof. 

HA2((ef ac ,(y.wait A y.tr = s.tr)) {Lemma lL.G.7.161 } 

= 3 y • RA2 (y.wait A y.tr = s.tr ) A (e f ,(s.tr < z.tr A y = z (B {tr i—)■ z.tr — s.tr}) 

{Lemma IL.G.7.2H } 

( 3 y • ( y.wait A y.tr = s.tr)[s © {tr i—)■ ()}/s] ^ 

(e) ,(s.tr < ^.tr Ai/ = z© {tr H> z.tr — s.tr}) ) 

{Substitution and value of record component tr} 

= 3 y • y.wait A y.tr = () A (e)“ ,(s.tr < z.tr A y = z © {tr z.tr — s.tr}) 

{Definition of (e) 2/ , and predicate calculus} 

= 3 y, z • y.wait A y.tr = () A s.tr < z.tr A y = z © {tr i—>■ z.tr — s.tr} A z E ac' 

{One-point rule and substitution} 

/ 3 z • (z © {tr i-A-z.tr — s.tr}).?naft \ 

= A 

\ (z © {tr i ^ z.tr — s.tr}).tr = () A s.tr < z.tr A z E ac' J 

{Value of record component tr and watt} 
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= 3 z • z.wait A z.tr — s.tr = () A s.tr < z.tr A z e ad {Property of sequences} 
= 3 z • z.wait A z.tr = s.tr A z e ad 

{Variable renaming and definition of (e)^ ,} 

= (ef ,(y.wait A y.tr = s.tr) 


□ 


Properties with respect to A2 

Lemma L.G.7.45 A2 ((g)^ c ,(P)) = 3 j/ • P[{y}/ad] A y e ad 


Proof. 


A2 ((D1'( P )) {Definition of A2} 

= PBMH(©pP) U { S } = oc-) {Definition of 

= PBMH((3 y • P[{?/} D ad/ad] A 1 / 6 ac') {s} = ac') {Definition of 

= PBMH((3 y • P[{y} n ad / ad] Aye ac')[{s | {s} = ad} / ad]) 

{Substitution} 

= PBMH(3 y • P[{j/} n {s \ {s} = ad}/ad] A y e {s \ {s} = ad}) 

{Property of sets} 


= PBMH(3 y • P[{s | s — y A {s} = ad}/ad] A {y} = ad) 

{Transitivity of equality} 

= PBMH(3?/ • P[{s | s — y A {s} = { y}}/ac ] A {y} = ad) {Property of sets} 
= PBMH(3 y • P[{y}/ad] A {y} = ad) 


{Definition of PBMH 

= 3 aco • (3 y • P[{y}/ad] A {y} = ac , )[aco/ac / ] A aco C ad 
= 3 aco • 3 y • P[{y}/ac] A {y} = aco A aco C ac 7 
= 3 y • -P[{?/}/ac'] A {y} C ac' 

= 3?/ • P[{s/}/ac'] Ay e ad 


(Lemma L.4.2.1)} 
{Substitution} 
{One-point rule} 
{Property of sets} 


□ 

Theorem T.G.7.17 Provided P is PBMH -healthy, A2((ef ac ,(P)) = (ef ac ,(P)- 


Proof. 

A2 (©UA) 


{Lemma IL.G. 7.451 } 
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= 3 y P[{y}/ac '] A y e ad 


{Assumption: P is PBMH-healthy and Lemma L.G.7.28} 


= dL ( p ) 


□ 


G.8 Operators 

G.8.1 Angelic Choice 

Theorem T.5.4.1 Provided P and Q are reactive angelic designs, 


P U Q = RA o A(— i Pj V — i Qj h ( — i Pj =>- Pj) A (— i Qj => Qj)) 


Proof. 


PUQ 


{Assumption: P and Q are RAP-healthy} 


= RA o A(-< P f f h Pj) U RA o A(-. Qj h Qj) 

l (-. PBMH(Pj) V - PBMEL{Qj)) 


= RA o A 




h 


/ (-. PBMH(P() =*► PBMH(Pl)) \ 


A 


\ (- PBMH(^) => PBMH (Qj)) 
( (-. PBMH(P)| V -i PBMH(Q)j) 


{Theorem IT. G.8.11} 


{Lemma IL.E.5.11} 


= RA o A 




h 


/ (-. PBMH(P){ => PBMH(P)}) \ 


V 


A 


V (-PBMH(Q)UPBMH(Q)') 




{Assumption: P and Q are RAP-healthy and Theorem T.5.2.21 } 
= RA o A((-i Pj V * Qj) L (-i Pj =>• Pj) A (-i Qj =>- Qj)) 


□ 


Theorem T.5.4.2 ac2p(p2ac(P) Urad p2ac(Q)) = P Ur Q 


Proof. 


ac2p(p2ac(P) U RAD p2ac(Q)) 


{Definition of U RAD } 
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= ac2p(p2ac(P ) A p2ac(Q )) 

= ac2p o p2ac(P ) A ac2p o p2ac(Q ) 
= P A Q 

= pu r q 


{Theorem IT. C.5. 21} 
{Theorem IT. 5.3. 51} 
{Definition of Ur} 


□ 


Theorem T.5.4.3 Provided that P and Q are reactive angelic designs, 
p2ac(ac2p(P) U R ac2p(Q )) □ P U RAD Q 


Proof. 


p2ac(ac2p(P) U R ac2p(Q )) {Definition of U R } 

= p2ac(ac2p(P) A ac2p(Q)) {Theorem IT. 4.6. 21} 

□ p2ac o ac2p(P) A p2ac o ac2p(Q) {Theorem IT .G.7. 131 } 

□ PBMH(P) A PBMH(Q) {P and Q are RAD-healthy and Theorem T.5.2.21|} 

= P A Q {Definition of U R ad} 

= P Urad Q 


□ 


Theorem T.G.8.1 

RA o A (P h Q) U RA o A (R h S ) 


RA o A 


/ 


V 


(-. PBMH(-< P) V PBMH(-< R)) 
h 

/ (-. PBMH(-< P) =» PBMH(g)) \ 
A 

\ (-. PBMH(n R) =» PBMH(S') / 


\ 


/ 


Proof. 

RA o A(P h <£) U RA o A(i2 h S ) 

= RA o A(P hQ)ARAo A(P h 5) 

= RA o PBMH(P h Q) A RA o PBMH(P h S) 


{Definition of U} 
{Theorem IT. G. 1.61} 
{Theorem IT.G.4.11} 





















G.8. OPERATORS 


631 


= RA(PBMH(P b Q) A PBMHfii b S )) 

= RA o PBMH(PBMH(P b Q) A PBMH (R b 5)) 
l (-. PBMHfn P) b PBMH(g)) \ 


= RA o PBMH 


A 


\ (-. PBMH(-i R) b PBMH(5)) 
f (-. PBMH(-i P ) b PBMH(Q)) \ 


= RA o A 


{Theorem IT. E.3. 11} 
{Lemma IL.4.2.21} 

{Theorem IT. G. 1.61} 


{Conjunction of designs} 


= RA o A 


A 

V (-. PBMH(-i R) b PBMH(5)) ) 

l (-. PBMH(-i P) V PBMH(P)) \ 
b 

/ (-. PBMH(-i P) =>• PBMH(Q)) \ 

A 

\ (-. PBMH(-i R) => PBMH(5)) / 


Theorem T.G.8.2 Provided -> P, Q, R and S are PBMH -healthy. 


RA o A (P b Q) U RA o A (R b S ) 


□ 


RA o A(P V R h (P => Q) A (R => S)) 


Proof. 


RA o A (P b Q) U RA o A (R b S) 

( (-. PBMH(n P) V - PBMH(n R)) \ 


{Theorem IT. G. 8. 11} 


= RA o A 


b 


( (-. PBMHfn P) =>. PBMH(Q)) \ 


A 


7 


= RA o A 


\ (-. PBMHfn P) => PBMH(P) / 

{Assumption: -> P, -> R, Q and S are PBMH-healthy} 

/(nnPVnnfi) \ 

b {Predicate calculus} 


} (n n p 4 Q) A (n n 4 5 1 ) J 
= RA o A (P V P b (P => Q) A (P => 5)) 


□ 
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Theorem T.G.8.3 Provided P is a reactive angelic design, ChaosuAD Urad 
RA o A(-< P f f b Pj) = RA o A(-. P f f b Pj) 

Proof. 

Chaos U RA o A(-> Pj b Pj) {Definition of Chaos } 

= RA o A (false b ac ± 0) U RA o A(-> P f f b Pj) {Theorem IT. 5.4. 11} 

= RA o A (false V -> Pj b (false =8 ac' ^ 0) A (-i Pj =8 Pj)) 

{Predicate calculus} 

= RA o A(-i P f f b (-. P f f =► Pj)) 


□ 


G.8.2 Demonic Choice 

Theorem T.5.4.4 Provided P and Q are reactive angelic processes, 
p n RAD Q = RA O A(-i Pj A - Qj b Pj V Qj) 


Proof. 


P riRAD Q {Assumption: P and Q are RAD-healthy} 

= RA o A(-< Pj b Pj) n RAD RA o A(-< Qj b Qj) {Theorem IT. 0.8.41} 

= RA o A(-< Pj A - Qj b Pj V Qj) 


n 


Theorem T.5.4.5 

p2ac(ac2p(P) f1 R ac2p(Q)) = p2ac o ac2p(P) n R AD p2ac o ac2p(Q) 


Proof. 

p2ac(ac2p(P) n R ac2p(Q)) 

= p2ac(ac2p(P) V ac2p(Q )) 

= p2ac o ac2p(P) V p2ac o ac2p(Q) 

= p2ac o ac2p(P) n R AD p2ac o ac2p(Q) 


{Definition of n} 
{Theorem IT. 4.6. 11} 
{Definition of fl} 


□ 
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Theorem T.5.4.6 ac2p(p2ac(P ) IArad p2ac(Q )) = P fl R Q 


Proof. 


ac2p(p2ac(P) n RA D 
= ac2p o p2ac(P ) fl 


p2ac(Q )) {Definition of n R AD and Theorem |T.C.5.l|| 

rad ac2p o p2ac(Q ) = P n R Q 


{Definition of f 1 R and Theorem T.5.3.5} 


□ 


Theorem T.5.4.7 Provided P is a reactive angelic design, 


C'/lOOS R AD n R AD P — ChaOSji AT) 


Proof. 


Chaosn at) n P 
= RA o A (false h 
= RA o A (false h 
= RA o A (false A 
= RA o A (false h 
= RA o A (false h 
= ChaosnAD 


{Definition of C7mo.s R AD} 
ac' 7 ^ 0) n P {Assumption: P is RAD-healthy} 

ac ± 0) n RA o A(-> P f f h Pj) {Theorem IT.G.8.41 1 

1 Pj h ac =4 0 V Pj) {Predicate calculus} 

ac' 7 ^ 0 V Pj) {Predicate calculus} 

ac' 7 ^ 0 ) {Definition of C7iaos RA p} 


□ 


Theorem T.G.8.4 


RA o A (P h Q) n RA o A (R h S) = RA o A(P A P h Q V 5) 


Proof. 

RA o A(P h Q) n RA o A (R h S ) 

= RA o PBMH(F h Q) n RA o PBMH(P h S ) 
= RA o PBMH(P h Q) V RA o PBMH(P h 5) 
= RA(PBMH(P h Q) V PBMH(i? h 5)) 

= RA o PBMH((P h Q) V (R h 5)) 

= RA o PBMH(P A P h Q V 5) 


{Theorem IT. G. 1.61} 
{Definition of U} 
{Theorem IT.G.4.21 1 
{Theorem IT. E.2. 21} 
{Disjunction of designs} 
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□ 

Lemma L.5.4.1 Provided P and Q are reactive angelic designs and A2 -healthy, 
p2ac(ac2p(P) n R ac2p(Q )) = P n RA D Q 


Proof. 


{Theorem IT. 5.4. 51} 


p2ac(ac2p(P) n R ac2p(Q)) 

= p2ac o ac2p(P) l~1 RAD p2ac o ac2p(Q) 

{Assumption: P and Q are RAD and A2-healthy and Theorem T.5.3.7 } 

= P n RA D Q 


□ 


G.8.3 Chaos 

Theorem T.5.4.8 Provided P is a reactive angelic design, 
Chaos-RAD Urad P = P 


Proof. 

Chaos-RA d Urad P {Assumption: P is RAD-healthy} 

Chaos U RA o A(-> Pj b Pj) {Definition of Chaos} 

= RA o A (false b ad ^ 0) U RA o A(-> P f f b Pj) {Theorem IT. 5.4. Il f 

= RA o A (false V -> Pj b (false =t ac' 7 ^ 0) A (-> Pj => Pj )) {Predicate calculus} 
= RA o A(-i Pj b (-1 Pj =$■ Pj)) {Definition of design and predicate calculus} 
= RA o A(-< Pj b Pj) {Assumption: P is RAD-healthy} 

= P 


□ 


Theorem T.5.4.9 ac2p(C7iaos RA D) = Chaos-R 
Proof. 

ac2p [Chao sb.au ) {Definition of Chaos^A d} 

= ac2p(RA o A (false b ad 7 ^ 0)) {Theorem IT.5.3.21 } 
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= R(-i ac2p(true ) b ac2p(ac' d 0)) 

{Lemma IL.C.5.271} 

= R(-i true b ac2p(ac’ d 0)) {Predicate calculus and definition of design} 

= R (false b true) 

{Definition of Chaos R } 

= Chaos R 

Theorem T.5.4.10 p2ac(Chaos R ) = Chaos RA o 

□ 

Proof. 

p2ac(Chaos R ) 

{Definition of Chaos R } 

= p2ac o R(/a/se b true) 

{Theorem IT. 5.3. 41} 

= RA o A(-< p2ac(true) b p2ac(true )) 

{Lemma |L.0.5.2|} 

= RA o A(—i ad d 0 b ac d 0) 

{Definition of A and PBMH-idempotent (Theorem T.E.2.1)} 

= RA o A o PBMH(-i acV 0 b ac ± 0) 

{Lemma lL.4.2.21} 

= RA o A(-i PBMHfac' = 0) b PBMH(ac 'd 0)) 

{PBMHfac' = 0) = true} 

= RA o A(-< true b ad d 0) 

{Predicate calculus} 

= RA o A (false b ad d 0) 

{Definition of Chaos R ad} 

= Chaos R An 

G.8.4 Choice 

Theorem T.5.4.11 p2ac(Choice R ) = Choice RA n 

□ 

Proof. 

p2ac(Choice R ) 

{Definition of Choice R } 

= p2ac o R [true b true) 

{Theorem lT.5.3.41} 

= RA o A(-< p2ac(false) b p2ac(true)) 

{Lemmas |L.C.5.2| and IL.C.5.31} 

= RA o A( i false b ad d 0) 

{Predicate calculus} 

= RA o A (true b ad d 0) 

{Definition of Choice RAD } 


= Choice RAD 
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□ 


Theorem T.5.4.12 ac2p(ChoiceRAn) = Choice r 
Proof. 

ac2p ( ChoiceuAU) 

= ac2pRA o A (true b ac' ^ 0) 

= R(-i ac2p(false ) b ac2p((ef ac ,(ac! 0))) 

= R(-i ac2p(false ) b ac2p(true A ac' ^ 0)) 

= R (true b true) 

= Choice r 

□ 


(Definition of Choice^ ad} 
(Theorem IT. 5.3. 21} 
(Predicate calculus} 
(Lemmas IL.C. 5.271 and IL.C.5.351 } 
(Definition of Choice r} 


Theorem T.5.4.13 Provided P is RAD -healthy, 
Choice-RAD Urad P = RA o A (true b Pj) 


Proof. 

Choice-RAD Urad P 
= RA o A (true b Pj) 


(Definition of NDrad and Theorem |T.5.5.2|} 


□ 


Theorem T.5.4.14 Provided P is RAD -healthy, 

ChoiceRAu IUrad P = RA o A(-> Pj b ac' 0) 

Proof. 

ChoiceRAD IUrad P (Definition of ChoiceRAo} 

= RA o A (true b ac' 0) IUrad P (Assumption: P is RAD-healthy} 

= RA o A (true b ac' ^ 0) n RA D RA o A(-i Pj b Pj) (Theorem IT. 5.4.41 } 

= RA o A (true A -i Pj b ac' ^ 0 V Pj) (Predicate calculus} 

= RA o A(-i Pj b ac! ^ 0 V Pj) (Definition of A, AO and predicate calculus} 
= RA o A(-< Pj b ac ± 0) 
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□ 


G.8.5 Stop 

Theorem T.5.4.15 Provided P is RAD -healthy, 
StopnAI) UraD P 


RA o A (true h (-> Pj =$■ Pj) A (G ) v ac ,(y.tr = s.tr A y.wait )) 


Proof. 


Stop RAD Urad p {Definition of Stop nA o} 

= RA o A (true h (G ) v ac ,(y-tr = s.tr A y.wait )) U RAD P 

{Assumption: P is RAD-healthy} 


/ RA o A (true h (tf ,(y-tr = s.tr A y.wait )) \ 


— Ur AD 

\RAo A(-. P f f h Pj) 

= RA o A (true V Pj h (-> Pj => Pj) A (§) V ac ,(y-tr 


{Theorem IT. 5.4. 11} 

s.tr A y.wait)) 

{Predicate calculus} 


= RA o A (true h pj => Pj) A (§jf ac ,(y-tr = s.tr A y.wait)) 


□ 


Theorem T.5.4.16 p2ac(Stopu) = Stop^AD 


Proof. 


p2ac(Stopn) 

= p2ac o R [true h tr' = tr A wait') 

= RA o A(-< p2ac{false) h p2ac(tr' = tr A wait')) 

= RA o A(-< false h p2ac{tr’ = tr A wait')) 

= RA o A (true h p2ac[tr = tr A wait')) 

= RA o A(true \~ 3 z • z.tr' — s.tr A z.wait 1 A undash(z) G ac') 

{Introduce fresh variable} 

= RA o A (true h 3 z, y • z.tr' = s.tr A z.wait' A y = undash(z) A y G ac') 

{Property of dash} 


{Definition of Stopn} 
{Theorem IT. 5.3. 41} 
{Lemma IL.C.5.31} 
{Predicate calculus} 
{Definition of p2ac} 
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= RA o A (true b 3 z,y • z.tr' = s.tr A z.wait' A dash(y) = z A y e ac') 

{One-point rule} 

= RA o A (true b 3 y • dash(y).tr' = s.tr A dash(y) .wait' A y £ ac') 

{Property of dos/i} 

= RA o A (true b 3 y • y.tr = s.tr A y.wait A y E ac') {Definition of (e)^ ,} 

= RA o A (true b (§) v ,(y-tr = s.tr A y.wait)) {Definition of S^oprad} 

= Stop-RAD 


□ 

Theorem T.5.4.17 ac2p(StopRAr>) = Stop-R 
Proof. 


ac2p(StopRAn) {Definition of StopRAo} 

= ac2pRA o A (true b (£) v ac , (y.wait A y.tr = s.tr)) {Theorem IT.5.3.21} 

= R(-i ac2p(false) b ac2p((£) y ,(y.wait A y.tr = s.tr))) 

{Lemma |L.C.5.27 and predicate calculus} 

= R (true b ac2p((E) v ,(y.wait A y.tr = s.tr))) 

{Definition of (E) y , and Lemma L.C.5.21} 


= R (true b wait' A tr' = tr) {Definition of StopR} 

= StopR 


□ 


G.8.6 Skip 

Theorem T.5.4.18 Provided P is RAD -healthy, 

SkipRAR Urad P 

RA o A (true b y.wait A y.tr = s.tr)) A (-< Pj Pf)) 

Proof. 

SkipRAu Urad P {Definition of SkipR A d} 

= RA o A (true b (§)^ c ,( _ ' y.wait A y.tr = s.tr)) Urad P 

{Assumption: P is RAD-healthy} 
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= RA o A (true b (e)^ c ,(-i y.wait A y.tr = s.tr )) U RAD RA o A(-> Pj b Pj) 

{Theorem IT. 5.4.11} 

\ 


= RA o A 


= RA o A 


( true V -i Pj 
b 

\ true => © y ac ,h U-wait A y.tr = s.tr)) A (-< Pj => Pj) J 

{Predicate calculus} 

/ true \ 

b 

\ (Dl© V- wait A y.tr = s.tr)) A (-> Pj => Pj:) / 


□ 


Theorem T.5.4.19 p2ac(Skipu) = Skip^AD 
Proof. 

p2ac(Skipn) {Definition of Skipn } 

= p2ac o R(4rue b tr' — tr A -i wait') {Theorem IT. 5.3. 41 } 

= RA o A(-< p2ac(false) b p2ac{tr' — tr A -> wait')) 

{Lemma 

= RA o A (true b p2ac{tr' — tr A -> wait')) 

{Definition of p2ac and sustitution} 

= RA o A (true b 3 z • z.tr' = s.tr A -> z.wait' A undash(z) G ac') 

{Introduce fresh variable y and property of dash and undash} 

= RA o A (true b 3 y • y.tr — s.tr A -> y.wait A y G ac') {Definition of (g)^ ,} 
= RA o A (true b (e/ ,( y.tr = s.tr A -i y.wait )) {Definition of jS^Prad} 

= S'fcipRAD 


L.C.5.3 and predicate calculus} 


□ 

Theorem T.5.4.20 ac2p(SkipYiAT)) = Skip R 
Proof. 


ac2p(SkipRAL)) {Definition of Skip-RAi)} 

= ac2pR.A o A {true b (g)^ c ,(-i y.wait A y.tr = s.tr)) {Theorem IT. 5.3. 21} 

= R(-. ac2p{false) b ac2p((E) y ,(-> y.wait A y.tr = s.tr))) 

{Lemma L.C.5.27 and predicate calculus} 
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R (true b ac2p((E) y ac ,(-i y.wait A y.tr = s.tr))) 

{Definition of (&f ar , and Lemma L.C.5.21} 

R (true I- 1 wait' A tr' = tr) 

Skip R 


{Definition of Skipu} 


□ 


Lemma L.5.4.2 ac2p(Stop RAr> U RAD Skip nAr> ) = T R 


Proof. 


ac2p(StopnAD LI rad SkipnAu) {Definition of StopnAU and Skip RA d} 

/ RA o A (true b (§f ac ,(y-tr = s.tr A y.wait )) \ 


= ac2p 


LI RA d 

\ RA o A (true b (e)^ c ,( y.wait A y.tr = s.tr)) ) 

( true V true 
b 

( (true =>■ © V ac ,{y-tr = s.tr A y.wait)) \ 


= ac2p o RA o A 


{Theorem IT. 5.4. 11} 

\ 


V 


A 




— ac2p o RA o A 


V 


{Theorem IT. 5.3. 21} 


R 


\ (true => (£f ,(-< y.wait A y.tr = s.tr)) ) 

{Predicate calculus} 

/ true \ 

b 

/ (e) y ac fy.tr = s.tr A y.wait) \ 

A 

V (DLt -1 V- waii A y-tr = s.tr) ) 

( -i ac2p(false) \ 

b 

/ (E) y ,(y.tr = s.tr A y.wait) ^ 

A 

V (DL(- y.wait Ay.tr = s.tr) ) 

{Lemma IL.C.5.271 and Theorem IT. C.5.21 } 




ac2p 


J 
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/ -i false \ 

h 

R / ac2p((e) y acl (y.tr = s.tr A y.wait )) \ 

A 

\ \ oc2p((D® c ,(-i y.wait Ay.tr = s.tr)) ) J 

{Predicate calculus and Le mm a [L.C.5.2ll | 

R (true h tr' = tr A wait' A -i wait' A tr' = tr) {Predicate calculus} 

R (true h false) {Definition of T R } 


□ 


G.8.7 Sequential Composition 


Theorem T.5.4.21 Provided P and Q are reactive angelic designs, 


P ’Vac Q 


( ( (RA1 (Pj) ; A RA1 (true)) 


RA o A 


\ 


A 


\ 


^ -i (RAl(Pj) ; A (-1 s.wait A RA2 o RA1(Q^))) J 


h 


V RA 1 (Pi) j A (s E ad < s.wait > (RA 2 o RAl(-< Qj =► Qj))) J 


Proof. 


= P j vac Q {Assumption: P and Q are RAP-healthy} 

= RA o A(-< P f f h Pj) ; Vac RA o A(-. Qj h Qj) {Theorem IT. 0.1.61} 

= RA o PBMH(n Pj h Pj) ; Vac RA o PBMHjn Qj h Qj) {Lemma 10331 } 
/ RA(-i PBMH (Pj) P PBMH(Pj)) \ 


’> r Dac 


{Theorem IT. G.8. 51} 


\ RA(-i PBMU(Qj) h PBMH(Qj)) / 
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/ (RAl o PBMH(P/) ^ RA1 (true)) 


\ 


A 


f (RAl o PBMH(Pl)) 


\ 


iA 


\ (-■ s.wait A RA2 o RAl o PBMH( Qj)) J 


\ 


h 


/ (RAl o PBMH(Pf)) 




5 A 


\ (s £ ad) <3 s.wait > (RA2 o RAl(n PBMH(Qj) =» PBMH(Qj)) ) 

{Predicate calculus and Theorem IT. E.2. 2~1 | 


/ (RAl o PBMH (Pj) ; A RAl (true)) 


\ 


A 


( (RAl o PBMH (Pi)) 


\ 


’A 


\ (-■ s.wait A RA2 o RAl o PBMH( Qj)) J 


\ 


h 


/ (RAl o PBMH(Pf)) 


\ 


iA 


\ (s £ ad) <3 s.wait > (RA2 o RAl o PBMH(-> Qj => Qj)) ) 




f -r S4 f j 

{Lemma IL.E.4.11 and Theorems IT. F.3. II and IT. 5.2. 51} 


/ PBMH(RA1 o PBMH (Pf) ; A RAl (true)) \ 


A 


( (RAl o PBMH (Pi)) 


\ 


lA 


h 


\ (-■ s.wait A RA2 o RAl o PBMH(Q[)) J 


(RAl o PBMH(P))) 




\ 


iA 

(s 


£ ad) <3 s.wait > (RA2 o RAl o PBMH(-> Qj =A Qj)) J 


/ ^ Of) 

{Theorems T.F.3.H T.5.2.5 and T.5.2.11 and Lemma L.E.4.8 } 


/ 
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= RA 


/ PBMH(RA1 o PBMH (P f f ) ] A RA1 (true)) 


\ 


A 


( (RA1 o PBMH(Pr)) 


PBMH 


\ 


iA 


\ (-1 s.wait A RA2 o RA1 o PBMH(Q()) ) 


\ 


b 


( (RA1 o PBMH(P|)) 




’A 


7 


\ (s£ ac') <\ s.wait > (RA2 o RAl o PBMH(-i Qj =>■ Qj)) J 

{Theorem IT. 5.2. 51} 


= RA 


/ PBMH(RA1 o PBMH(Pj) RAl(irue)) 




A 


/ (RAl o PBMH (Pi)) 


PBMH 


\ 


iA 


\ (-i s.wait A RA2 o RAl o PBMH((^{)) J 


\ 


b 


( (PBMH o RAl o PBMH (Pj)) 


\ 


iA 


\ (s G ac') <\ s.wait > (RA2 o RAl o PBMH(-> Qj => Qj)) ) 




f '°*f> 

{Lemma IL.E.4.31 and Theorems IT. 5.2. 51 and IT. 5.2. Ill } 


= RA 


/ PBMH(RA1 o PBMH(Pj) ‘ A RAl (true)) 


\ 


A 


/ (RAl o PBMH (Pi)) 


PBMH 




iA 


\ (-i s.wait A RA2 o RAl o PBMH(ffi)) J 


b 


(PBMH o RAl o PBMH(Pl)) 


iA 


\ V PBMH(s e ac') < s.wait > PBMH(RA2 o RAl o PBMH(-> Q f f =A Qj)) 

{Lemma IL.E.4.91} 
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= RA 


= RA 


= RA 


( 


/ PBMH(RA1 o PBMH(Pj) RAl(irue)) 




A 


f (RA1 o PBMH (Pi)) 


PBMH 




iA 


\ (-1 s.wait A RA2 o RA1 o PBMH(Q()) ) 


\ 


h 


/ (PBMH o RA1 o PBMH(Pf)) 


v 


f 


\ 


iA 


V PBMH(s G ad < s.wait > (RA2 o RAl o PBMH(-> Qj =A Qj))) 

{Theorem IT. F.3. 11} 




/ PBMH(RA1 o PBMH(Pj) RAl (true)) 


\ 


A 


/ (RAl o PBMH(P})) 


PBMH 


\ 


iA 


\ (-i s.wait A RA2 o RAl o PBMH(Q()) ) 


h 


PBMH 


( (PBMH o RAl o PBMH(P()) 


iA 


\ PBMH(s G ad < s.wait > (RA2 o RAl o PBMH(-> Qj => Qj))) 


(Lemmas IL.E.4.31 and IL.E.4.91 and Theorems IT. 5.2. 51 and IT. 5.2. Ill } 


f 


l PBMH(RA1 o PBMH (Pf) ; A RAl (true)) 


\ 


A 


/ (RAl o PBMH (Pf)) 


PBMH 


\ 


5.4 


y (-i s.wait A RA2 o RAl o PBMH(Q[)) ) 


\ 


h 


PBMH 


f (PBMH o RAl o PBMH(P()) 


\ 


iA 


\ (s G ad < s.wait > (RA2 o RAl o PBMH(-> Qj =>- Qj))) ) 

(Theorem IT. 5.2. 51} 
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= RA 


= RA 


= RA 


/ 


/ PBMH(RA1 o PBMH (P f f ) ] A RA1 (true)) 


\ 


A 

PBMH 

V 

h 

PBMH 


( (RA1 o PBMH(Pr)) 


\ 


iA 


\ (-1 s.wait A RA2 o RA1 o PBMH(C^)) ) 

( (RA1 o PBMH(Pf)) 


\ 


v 


\ 


iA 


\ (s £ ac' < s.wait > (RA2 o RA1 o PBMH(-> Qj =>■ Qj))) ) 


f 

{Predicate calculus} 

( ( PBMH(RA1 o PBMH (Pj) ; A RA1 (true)) \ \ 


V 


PBMH 


/ (RA1 o PBMH(Pf)) 


V 

h 

PBMH 


\ 


iA 


\ (-1 s.wait A RA2 o RA1 o PBMH(Qj)) ) 

( (RA1 o PBMH(PJ)) 


\ 


J A 

\ (s £ ac' < s.wait > (RA2 o RA1 o PBMH(-> Qj =£■ Qj))) ) 
{Distributivity of PBMH (Theorem T.E.2.2)} 

/ (RA1 o PBMH(P/) ; A RAl(irue)) \ 


-i PBMH 

h 

PBMH 


V 


f (RA1 o PBMH(P‘)) 




iA 


\ (-i s.wait A RA2 o RA1 o PBMH(Q()) ) 


(RA1 o PBMH(PJ)) 


\ 


\ 


iA 

(s 


£ ac' < s.wait > (RA2 o RA1 o PBMH(-> Qj =>■ Qj))) ) 
{Lemma L.4.2.2 and predicate calculus} 
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= RA 


= RA 


= RA 


/ 


3 PBMH 


/ (RA1 o PBMH (Pj) ; A RA1 (true)) 


\ 


A 


/ (RA1 o PBMH(Pl)) 


\ 


iA 


\ (-■ s.wait A RA2 o RAl o PBMH(®) ) 


\ 


h 


f (RAl o PBMH(PJ)) 


\ 


iA 


\ (s G ad < s.wait \> (RA2 o RAl o PBMH(-> Qj =» Qj))) ) 

(Theorem IT. G. 1.61} 


/ 


3 A 


/ (RAl o PBMH(Pj) RAl (true)) 


\ 


A 


f (RAl o PBMH (Pj)) 


\ 


iA 


\ (-i s.wait A RA2 o RAl o PBMH(Q£)) ) 


\ 


h 


( (RAl o PBMH (Pj)) 


\ 


iA 


\ (s G ad <\ s.wait > (RA2 o RAl o PBMH(-i Qj =A> Qj))) ) 




f '*!> 

(Predicate calculus and Theorem IT. E.2. 21 } 


/ 


3 A 


/ (RAl o PBMH (Pj) : A RAl (true)) 


\ 


A 


/ (RAl o PBMH (Pj)) 


\ 


’A 


\ (-i s.wait A RA2 o RAl o PBMH(G)) J 


\ 


h 


( (RAl o PBMH (Pj)) 


\ 


iA 


\ (s G ad <\ s.wait > (RA2 o RAl(-< PBMH(Qj) =>• PBMH(Qj)))) J 

(Lemma IL.E.5.11} 
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/ 


= RA o A 


( (RAl(PBMH(F)J) RA1(W)) 


\ 


A 


f (RAl(PBMH(P)r)) 


\ 


iA 


\ (-. s.wait A RA2 o RA1(PBMH(QH)) / 


\ 


h 


( (RAl(PBMH(F)D) 


\ 


iA 


\ (s e ad < s.waii > (RA2 o RA1(^ PBMH(Q)} =► PBMH(Q)}))) 
{Assumption: P and Q are RAP-healthy and Theorem T.5.2.21} 




/ 


= RA o A 


( -i (RAl(Pj) ] A RA1 (true)) 


\ 


A 


\ 


^ -i (RAl(.Pj) j A (-> s.wait A RA2 o RA1(Q£))) J 


h 


\ RAl(Pj) ] A (s G ac' < s.wait > (RA2 o RAl(-> Qj =>• Qj ))) / 


□ 


Theorem T.5.4.22 Provided P and Q are reactive angelic designs, 
p2ac(ac2p(P) ; ac2p(Q )) □ P ; Vac Q 


Proof. 


p2ac(ac2p(P) ; ac2p(Q )) {Theorem IT.G.7.1T1 } 

= p2ac o ac2p(P ) ] Vac p2ac o ac2p(Q ) 

{Theorem IT. G. 7.131 and Lemmas IL.C.4.21 and IL.C.4.31} 


□ PBMH(P) ; Cac PBMH(Q) 


{Assumption: P and Q are RAD-healthy and Theorem T.5.2.21 [ 


= P\ 


')T>ac 


Q 


□ 


Theorem T.5.4.23 Provided P and Q are RAD -healthy and A2 -healthy, 


p2ac(ac2p(P) ; ac2p(Q)) = P ; Vac Q 
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{Theorem IT. G. 7.111 1 


Proof. 

p2ac(ac2p(P ) ; ac2p(Q)) 

= p2ac o ac2p(P) ] Vac p2ac o ac2p(Q ) 

{Assumption: P and Q are A2-healthy and Lemma L.G.7.11 1 

= (P A ac 7 ^ 0) lVac (Q A ac 0) 


{Assumption: P and Q are RAD-healthy and Lemma L.G.1.6} 


— P iVac Q 


□ 


Theorem T.5.4.24 ac2p(p2ac(P) ; Vac p2ac(Q )) = P ; Q 
Proof. 

{Theorem IT.G.7.111} 
{Theorem IT. 5.3. 51} 


ac2p(p2ac(P) ] Vac p2ac(Q )) 
= ac2p o p2ac(P ; Q) 

= P 


□ 

Theorem T.5.4.25 Provided P and Q are reactive angelic designs and A2- 
healthy, A2(P , Vac Q) = P , Vac Q 


Proof. 


P] 

= RA o A 


Wac Q {Assumption: P and Q are RAD-healthy and Theorem T.5.2.20} 


Pj h P‘,) -, Vac RA o A( 


QjpQ 1 ,) 


{Assumption: P and Q are A2-healthy and Theorem T.G.4.7} 
= A2 o RA o A(-i P f f h Pj) : iDac A2 o RA o A(-- Qj h Qj) {Theorem IT.G.4.11} 
= A2(A2 o RA o A(-< Pj h Pj) ] Vac A2 o RA o A(-> Qj h Qj)) 

{Assumption: P and Q are A2-healthy and Theorem T.G.4.7} 

= A2(RA o A(-. Pj b P‘,) RA oA(^h Q‘)) 


{Assumption: P and Q are RAD-healthy and Theorem T.5.2.20} 


= A2 (P - Vac Q) 


n 
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Theorem T.G.8.5 Provided —> P, -> R, Q and S are PBMH -healthy and ok, ok' 
are not free in P, Q, R and S, 

RA(P h Q) ; Vac RA (R h S) 


RA 


/ -i (RAl(-< P ) ; A RA1 (true)) 


\ 


A 


\ -i (RA1(<5) ,' A (-i s.wait A RA2 o RAl(-> R))) ) 


\ 


h 

\ RA1(<5) ,’_4 ( s G ad <\ s.wait \> RA2 o RAl(i? S)) J 


Proof. 


RA (P h Q) ; Vac RA(i? h S) {Definition of RA} 

= RA3 o RA2 o RA1(P h Q) ] Vac RA3 o RA2 o RAl (R h S ) 


{Commutativity of RA1-RA2 (Theorem T.5.2.10)} 
= RA3 o RAl o RA2(P h Q) ; Vac RA3 o RAl o RA2 (R h S ) 


{Commutativity of RA1-RA3 (Theorem T.5.2.16)} 

= RAl o RA3 o RA2(P h Q) ; Vac RAl o RA3 o RA2(1? h S ) 

{Lemma IL.G.2.151 } 

f RAl o RA3(- RA2(-i P ) h RA2(Q)) \ 

{Lemma IL.G.4.11} 


’>T>ac 


\ RAl o RA3(-i RA2(-i R) h RA2(5)) / 

/ RAl (true <\ s.wait > (-> RA2(-< P)) h s G ad <\ s.wait > RA2(<5)) \ 


I'Vac 


\ RAl (true < s.wait > (-> RA2(-> R )) h s G ac' <] s.wait > RA2(5)) / 

{Theorem IT. G.8. 61} 
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= RA1 


/ -i (RAl(-< ( true <3 s.wait > -> RA2(-i P))) \ . RAl (true)) \ 


A 


/ RAl(s G ac' <3 s.wait \> RA2(<J)) 




iA 


\ RAl(-i ( true <3 s.wait > (-> RA2(-> R)))) ) 


\ 


h 


/ RAl(s G ac' <3 s.wait \> RA2(<5)) 


\ 


5 A 


( (true <3 s.wait \> RA2(-> R))) \ 


RAl 


V 


/ 


/ 


\ (sG ac' <3 s.wait > RA2(5)) / 

{Predicate calculus} 

( ( -i (RAl(-< (true <3 s.wait \> -i RA2(-> P))) RAl(frue)) ^ \ 


= RAl 


A 


/ RAl(s G ac' <3 s.wait > RA2(Q)) 


\ 


5.4 


\ RAl(-i (true <3 s.wait > (-> RA2(-i P)))) / 


h 


/ RAl(s G ac' < s.wait > RA2(Q)) 




iA 


/ -i (true <3 s.wait > (-> RA2(-i P))) \ 


RAl 


V 


V 


/ 


/ 


/ 


\ (sG ac' <3 s.wait > RA2(P)) 

(Lemma |L.A.1.3| and predicate calculus} 

( ( * (RAl (/a/se <3 s.wait > RA2(-> P)) RAl(tnxe)) \ \ 


= RAl 


A 


RAl(s G ac' <3 s.wait \> RA2(<5)) \ 


>.4 


\ \ RAl (false < s.wait > RA2(-i P)) / 


h 


/ RAl(s G ac' <3 s.wait > RA2(Q)) \ 


5.4 


RAl 


/ (false <3 s.wait > RA2(-> P)) \ 


V 


/ 


/ 


\ (sG ac' <3 s.wait > RA2(5)) / 

(Property of conditional and predicate calculus} 
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= RA1 


= RA1 


= RA1 


/ -i (RAl(/a/se <3 s.wait > RA2(-i P)) ; A RAl(irae)) \ 


h 


h 


A 


/ RAl(s G ac' <3 s.wait \> RA2(<J)) \ 


iA 


\ RA1 (false <3 s.wait > RA2(-< R)) ) 


\ 


/ RAl(s G ac! <3 s.wait > RA2(<5)) 


\ 


>■4 


\ RAl(s G ac' <3 s.wait t> (RA2(5 < ) V RA2(-i /?))) / 


/ 


{Theorem T.5.2.7 and predicate calculus} 
( -i (RAl(/a/se <3 s.wait > RA2(-< P)) '. A RAl(irae)) \ \ 


A 


/ RAl(s G ac' <3 s.wait > RA2(Q)) \ 


5.4 


\ RA1 (false <3 s.wait > RA2(-< P)) / 


/ RAl(s G ac' <3 s.wait > RA2(<5)) 


\ 


5.4 


/ 


\ RAl(s ac' <3 s.wait > (RA2(P =>5'))) / 

{Lemma IL.G. 1.151 } 

/ -i ((RAl(/a!se) <3 s.wait > RAl o RA2(-> P)) RAl(irae)) \ \ 
A 

( (RAl(s G ac') <] s.wait > RAl o RA2(<5)) N ' 

’A 

y (RAl (false) <3 s.wait > RAl o RA2(-> P)) / 

(RAl(s G ac') <3 s.wait > RAl o RA2(<5)) ^ 

>■4 

\ y (RAl(s G ac') <] s.wait t> RAl o RA2(P =>■ 5)) / y 

{Lemmas IL.G. 1.91 and IL.G. 1.141 } 


V 

h 
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( 

= RAl 

V 
( 

= RAl 

V 
( 

= RAl 

V 


^ -i ((false < s.wait > RAl o RA2(-> P )) ] A RAl (true)) ^ 


h 


A 


( (s E ac' < s.wait > RAl o RA2(Q)) \ 


iA 


\ (false <3 s.wait > RAl o RA2(-> R )) J 


\ 


f (s E ac' <\ s.wait \> RAl o RA2(Q)) \ 


5 A 


J 


\ (sG ac' < s.wait > RAl o RA2(i? S )) / 

(Property of conditional} 

^ -i ((-i s.wait A RAl o RA2(-> P)) \ A RAl true)) \ \ 


A 


^ (sG ac' < s.wait > RAl o RA2(<5)) ^ 


iA 


\ (-i s.wait A RAl o RA2(-< R )) j 

f (s G ac’ <\ s.wait \> RAl o RA2(<5)) \ 


iA 




\ (s E ac' < s.wait > RAl o RA2(i? =>• S)) J 

(Lemma IL.A.1.21} 

^ -i ((-i s.wait A RAl o RA2(-> P)) ] A RAl true)) \ \ 


A 


V 


^ (sG ac' j A (-i s.wait A RAl o RA2(-> R))) ^ 

<\s.wait\> 

\ (RAl o RA2(<5) U (“> s.wait A RAl o RA2(-> R))) J 




(s E ac' ; A (s E ac' < s.wait > RAl o RA2 (R =>■ S))) \ 

<s.wait> 

(RAl o RA2(<J) ] A (s E ac' < s.wait \> RAl o RA2(7? =>• S))) ) 




{Lemma, IL.F.6.21} 
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= RA1 


= RA1 


= RA1 


/ -i ((-i s.wait A RAl o RA2(-i P)) \ A RA1 [true)) 


h 


h 


h 




A 


V 


( (-■ s.wait A RAl o RA2(-< R)) ^ 

<s.wait> 

\ (RAl o RA2(<J) \ A (-i s.wait A RAl o RA2(-< R))) ) ) 


\ 


/ (s E ad < s.wait > RAl o RA2(i? =>■ S)) ^ 

<s.wait> 

\ (RAl o RA2(<5) : A (s E ad < s.wait > RAl o RA2(i? =>- S))) ) J 

{Lemma IL.F.2.81} 

/ -i (-i s.wait A (RAl o RA2(-< P) RAl true))) \ \ 


A 


V 


( (-■ s.wait A RAl o RA2(-< R)) ^ 

<\s.wait> 

\ (RAl o RA2(<J) ] A (-i s.wait A RAl o RA2(-< R))) ) ) 


/ (s E ad < s.wait > RAl o RA2(i? =>■ S)) ^ 

<s.wait> 

\ (RAl o RA2(<J) \ A (s G ad < s.wait > RAl o RA2(7? =>• S))) J J 

{Property of conditional} 

/ -i (-i s.wait A (RAl o RA2(-< P) RAl true))) \ \ 


A 


/ /RAloRA2(<5) 

n s.wait A 


V 


V 


\ 


iA 


\ (-i s.wait A RAl o RA2(-> R)) J 


\ 






(s E ad) \ 

<s.wait> 

\ \ (RAl o RA2(<J) ] A (s G ad < s.wait > RAl o RA2(7? =>• S))) ) J 

{Predicate calculus} 
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= RA1 


^ (-■ s.wait A (RAl o RA2(-< P) : iA RAl true))) \ 


V 


/ /RAloRA2(<5) 

-i s.wait A 


V 


V 


\ 


iA 


\ (-■ s.wait A RAl o RA2(-> R)) ) 


\ 




\ 


) 


h 


= RAl 


/ (s £ ad) ^ 

<s.wait> 

\ (RAl o RA2(<5) : A (s £ ad < s.wait > RAl o RA2(i? S))) ) ) 

{Predicate calculus and property of conditional} 
/ / (RAl o RA2(-> P) ; A RAl (true)) \\ \ 


false < s.wait > 


V 


V 


( RAl o RA2(<5) 


V 




iA 


\ (-■ s.wait A RAl o RA2(-> R)) ) 




) 


h 


V 


= RAl 


/ (s £ ad) ^ 

<s.wait> 

\ (RAl o RA2(<J) j A (s £ ad < s.wait \> RAl o RA2(i? S))) ) ) 

{Lemma IL.A.1.51} 

/ f (RAl o RA2(-< P) ] A RAl (true)) \\ \ 


true <3 s.wait > 


V 


V 


/ RAl o RA2(<5) 


V 


\ 


lA 


\ (-■ s.wait A RAl o RA2(-> R)) J 


7 


7 


h 


\ 


(s £ ac') 

< s.wait t> 

y \ (RAl o RA2(<J) \ A (s £ ad < s.wait \> RAl o RA2(7? S))) ) 




{Lemma IL.G.4.11} 
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/ 


= RA1o RA3 


( (RA1 o RA2(-> P) RA1 (true)) \ 


V 


/ RAl o RA2(<5) 


V 


\ 


iA 


\ (-■ s.wait A RAl o RA2(-> R)) ) 


\ 


/ 


h 


/ RAl o RA2(Q) 


V 


\ 


iA 


\ (s G ad <3 s.wait > RAl o RA2(i? S)) J 




{Lemmas L.G.2.2 L.G.2.3 L.G.2.7 and L.G.2.8 } 
/ / (RAl o RA2(-< P) RAl o RA2 (true)) \ \ 


= RAlo RA3 


V 


f RAl o RA2(Q) 


V 


\ 


iA 


\ (RA2 (-1 s.wait ) A RAl o RA2(-< R)) j 




V 


/ RAl o RA2(<2) 


V 


\ 


iA 


J 


\ (RA2(s G ad) <3 RA2( ait ) > A1 o RA2(Z2 =>• 5)) / 

{Theorem IT. 5. 2.101 } 

/ / (RA2 o RAl(n P) ] A RA2 o RAl(irae)) \ \ 


= RAlo RA3 


V 


f RA2 o RA1(Q) 


V 


\ 


lA 


\ (RA2(-< s.wait ) A RA2 o RAl(-> R)) / 


7 


h 


/ RA2 o RA1(Q) 


\ 


iA 


\ (RA2(s G ad) <3 RA2( s.wait) > RA2 o RAl(i2 => 5)) J 




{Theorem IT. 5.2. 61} 
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= RAl 


= RAl 


= RAl 


3 RA3 


/ (RA2 o RAl(-i P) RA2 o RAl (true)) \ 


V 


/ RA2 o RA1(Q) 




iA 


\ (RA2(-> s.wait A RAl(-i R )) ) 


\ 


h 


/ RA2 o RA1(Q) 




iA 


\ \ (RA2(s G ac') < RA2( s.wait ) > RA2 o RAl(i2 => S)) / ) 

{Lemma IL.G.2.61} 

/ ( (RA2 o RAl(-< P ) ] A RA2 o RAl (true)) \ \ 


3 RA3 


V 


/ RA2 o RA1(Q) 


\ 


iA 


\ (RA2(-< s.wait A RAl(-i R )) ) 


h 


/ RA2 o RA1(Q) 


\ 


iA 




\ RA2(s ac' <3 s.wait > RAl(i? =>■ S)) ) 

{Theorem IT.G.2.41} 

/ ( RA2(RAl(-i P ) RA2 o RAl(im)) \ \ 


3 RA3 


V 


RA2 


f RAi(g) 


\ 


iA 


\ (RA2(-< s.wait A RAl(n R)) ) 


h 


RA2 


/ RA1(Q) 




iA 




\ RA2(s G ac' <3 s.wait > RAl(i? =>■ S)) ) 

{Theorem IT. 5.2. 71} 
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/ 


= RA1o RA3 


/ (RAl(-< P ) RA2 o RA1 (true)) \ 


RA2 


V 


/ RA1(Q) 




iA 


\ (RA2(-< s.wait A RAl(-> R)) ) 


\ 


h 


RA2 


/ RA1(Q) 




iA 




\ RA2(s G ac' <\ s.wait > RA1(P =>■ S)) ) 

{Lemma IL.G.2.151 } 

/ / (RAl(-i P ) RA2 o RA1 (true)) \ \ 


= RA1o RA3o RA2 


V 


( RA1(Q) 


\ 


iA 


\ (RA2(-< s.wait A RAl(n R)) ) 


h 


/ RA1(Q) 


V 




iA 


\ RA2 (s G ac' < s.wait > RA1(P => S)) J 




{Commutativity of RA1-RA3 (Theorems T.5.2.10 and T.5.2.16)} 
/ / (RAl(-i P) ;_4 RA2 o RAl(fnxe)) \ \ 


= RA3o RA2o RA1 


V 


( RA1(Q) 


\ 


lA 


\ (RA2(-< s.wait A RAl(-> R)) J 


h 


RA1(Q) 


\ 


iA 




\ \ RA2(s G ac' < s.wait > RA1(P => S')) J 

{Definition of RA} 
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= RA 


= RA 


= RA 


= RA 


= RA 


' / 


(RAl(-< P ) j A RA2 o RA1 (true)) \ ^ 

V 


f rai(q) 

iA 


\ 


\ 


b 


\ (RA2(-< s.wait A RAl(n Rj) ) 




( RA1(Q) 

iA 


\ 


’A 

\ RA2(s G ac! < s.wait > RAl(i? S)) ) 
f ( -i (RAl(-i P) \ A RA2 o RA1 (true)) 


{Predicate calculus} 


7 


\ \ 


V 


(RA1(<5) ', A (RA2(-< s.wait A RAl(-i R)))) ) 


b 

v RA1(Q) ;_4 RA2( s G ad <\ s.wait \> RAl(i? =>- S)) J 

{Theorem IT .5.2. 6~1 and Lemma IL.G.2.81 } 




{Theorem |T 

* / -i (RAl(-i P) j A RA2 o RA1 (true)) 

s.wait A RA2 o RAl(-> R))) J 


A 


\ 


V - (RA1(Q) ^ 
b 

v RA1(Q) RA2( s G ad < s.wait > RAl(i? =>• S)) J 


( 


l -> (RAl(-< P ) ] A RA2 o RAl(tnze)) 


{Lemma IL.G.2.61) 

\ \ 


A 


\ -i (RA1(<5) ] A (“i s.wait A RA2 o RAl(-> R))) J 


b 


v RA1(<5) ; A (RA2(s G ad) < s.wait \> RA2 o RAl(i? =>- S)) J 

{Lemma IL.G.2.31) 

f ( -i (RAl(-i P) \ A RA2 o RAl(inie)) \ \ 


A 


(RA1(<5) j A (-i s.wait A RA2 o RAl(-i R))) J 


b 

RA1(<5) ] A (s G ad <3 s.wait \> RA2 o RAl(i? S)) J 

{Theorem IT.5.2.101 and Lemma lL.G.2.21} 
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/ / -i (RAl(-< P) ; A RAl(trwe)) 


= RA 


\ 


A 


\ “i (RA1(<2) (~ 1 s.wait A RA2 o RA1(—< R))) ) 


b 


\ RA1(<5) ] A (s G ad < s.wait > RA2 o RAl(i2 =>■ S)) ) 


□ 


Theorem T.G.8.6 Provided -> P,Q,~* R mid S are PBMH -healthy, and ok and 
ok' are not free in P,Q,R and S, 

RA1(P b Q) ; Vac RAl(i? b S) 

/ (RAl(-i P) ; A RA1 (true)) A (RA1(Q) ; A RAl(n R)) \ 

RA1 b 

V RA1(Q) ; A KA1(R => S) 


Proof. 


RA1(P b (?) ; Vac RAl(i2 b 5) {Definition of - Vac } 

= 3 ok® • RA1(P b Q)[oko/ok'] ] A RAl(i? b S)[oko/ok] {Definition of design} 

/ RAl((ofc A P) =>■ (Q A okf))[oko/ok'] ^ 

= 3 oko • ; A 

\ RAl((ofc A R) =>■ (S A ok'))[oko/ok] / 

{Substitution (ok' ^ ( fv(Q) Ufv(P)) and ok ^ ( fv(R ) U fv(S)))} 

/ RAl((ofc A P) => (Q A oko)) \ 

= 3 oko • U 

V RAl((ofo A R) => (S A oA/)) / 

/ / RAl((ofc AP) a(QA true)) \ \ 


{Case-split on o/cq} 


iA 


\ RA1 ((R A true ) ^ (5 A oA/)) / 


V 


/ RAl((oA: A P) =*► (Q A /obe)) \ 


’A 


V RAl((/a/se A 7?) =» (S A oA/)) / 


{Predicate calculus} 
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/ 

f RAl((oA: A P)=>Q) \ 

\ 


iA 

V (RAl(-< (ok A P)) \ A RAl (true)) 

V 

{ RAl (R =>(S A ok!)) y 

) 


{Predicate calculus} 


i 

( RA1(—i ok V — i P V Q) ^ 

\ 


iA 

V (RAl(-< ok V -i P) ] A RAl (true)) 

1 

V RAl(-i R\I (S A ok!)) y 

) 


{Distributivity of RAl (Theorem T.5.2.3)} 


f 

/ (RAl(-i ofc V P) V RA1(Q)) \ 

\ 


5.4 

V (RAl(-i ok V -i P) RAl(trae)) 

V 

V RAl(-i R V (S A ok')) y 

/ 


{Distributivity of ] A 


(Lemma L.F.1.4)} 


/ (RAl(-i ok V P) ; A RAl(-i R V (S A ok'))) \ 

V 

(RA1(Q) ^ RAl(-< R V (S A ok!))) 

V 

\ (RAl(-< ok V -i P) ] A RAl(frwe)) / 


ok and -i P are PBMH-healthy (Lemma L.E.4.5), Theorems T.5.2.5 and T.G.1.5} 


/ (RA1(Q) \ A RAl(-< RV (S A ok'))) \ 

V 

\ (RAl(-i ok V -i P) j A RAl (true)) / 

f (RAl(g) (RAl(-< R) V RAl (S A ok'))) \ 

V 

\ (RAl(-< ok V -i P) ] A RAl (true)) ) 

( (RA1(Q) (RAl(-< R) V (RAl(S') A ok!))) \ 

V 

^ (RAl(-< ok V -i P) \ A RAl (true)) ) 

( (RAl(g) (-. RAl(-i R) =► (RAl(S’) A ok!))) \ 


{Theorem IT. 5.2. 31} 


{Lemma IL.G.1.161 } 


{Predicate calculus} 


V 

\ (RAl(-i ok V -i P) ] A RAl(true)) / 


{Q is PBMH-healthy, Theorem |T.5.2.5| and Lemma |L.F.2.4|| 
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/ (RA1(Q) ; A RAl(-i R)) \ 

V 

((RA1(Q) ; A (-. RAl(-< R) => RA1(S))) A ok') 

V 

\ (RAl(-i ok V -i P) ] A RAl(im)) / 

/ (RA1(Q) ] A RAl(-i R)) \ 

V 

((RA1(Q) (RAl(-< R) V RAl(S'))) A ok') 

V 

\ (RAl(-i ok V -i P) \ A RAl(im)) / 

/ (RA1(Q) \ A RAl(-i R)) \ 

V 

((RA1(Q) RAl(-i R V S)) A ok') 

V 


\ ((RAl(-i ok) V RAl(-i P)) ] A RAl(irn)) / 

/ (RA1(Q) ; A RAl(-i R)) \ 

V 

((RA1(Q) RAl(i? => S)) A ok') 

V 

\ ((RAl(-< ok) V RAl(-i P)) ] A RAl(true)) / 

{Right-distributivity of 

/ (RA1(Q) ;_ 4 RA1(-R)) \ 

V 

((RA1(Q) ;_4 RAl(i? =► S)) A ok') 

V 


(RAl(-i ok) ] A RA1 (true)) 

V 

\ (RAl(-< P) ] A RAl(fnie)) / 

/ (RA1(Q) ;_ 4 RA1(-R)) \ 

V 

((RA1(Q) RA1(R =► S)) A ok') 


V 

RAl(-i ok) 

V 

\ (RAl(-i P) ] A RAl(frae)) / 


{Assumption: 


R, S are PBMH-healthy and Theorems 


{Predicate calculus} 


{Theorem IT. 5.2. 31} 


{Predicate calculus} 


] A (Lemma L.F.1.4)} 


{Lemma IL.G. 1.291 } 


T.5.2.51 and |T.5.2.4|} 
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/ RA1(RA1(<5) ; A RAl(-i R)) \ 

V 

(RA1(RA1(<5) : A RAl(i2 =>• S )) A ok') 

V 

RAl(-i ok) 

V 

^ RAl(RAl(-i P) ] A RAl (true)) / 

f RA1(RA1(<5) ; A RAl(n R)) \ 

V 

RA1((RA1(Q) ;_4 RAl(i2 =>• S)) A ok') 

V 

RAl(-i ok) 

V 

\ RAl(RAl(-i P) \ A RA1 (true)) ) 

/ (RA1(<5) ; A RAl(-i R)) \ 


= RAl 


V 

((RA1(Q) RAl(i? =* S)) A ok') 

V 


(-1 ok) 

V 

^ (RAl(-i P) \ A RAl(irue)) / 


/ 


(ok A ^ (RA1(Q) ; A RAl(-< R)) \ 
A 


\ 


= RAl 


\ -i (RAl(-< P) ] A RAl (true)) ) 


\ ((RA1(Q) ; A RAl(i? =>■ S)) A ok') / 

^ —i (RAl(-i P) ] A RAl (in/e)) A —> (RAl ( Q) ’ lA 


= RAl 


h 

\ RA1(Q) : A RA1(R => S) 


{Lemma IL.G.1.161 } 


{Theorem IT. 5.2. 31} 


{Predicate calculus} 


{Definition of design} 


RAl(-i R)) \ 

/ 

M 


Lemma L.5.4.3 (Stop RAD U RAD Skip nAT >) : Vac Chaos RAD = Stop nAD 


















G.8. OPERATORS 


663 


Proof. 

{Stopn ad Urad Skip-RAv) ', Vac Chaos rad 


{Result of Example [32] and definition of Chao } 
/ RA o A (true h © y ac ,(y-tr = s.tr A y.wait ) A (e)^ c ,(-i y.wait A ?/.tr = s.tr)) \ 


l'Dac 

\ RA o A (false h ac! ^ 0) 


( 


= RA o A 


/ -i (RAl(/atse) RAl(irue)) 


{Theorem IT. 5.4.211 } 

\ \ 


A 


( / (^) y ac i(y-tr = s.tr A y.wait ) \ 

RAl A 

\ (DL ^ -1 y- wait Ay.tr = s.tr ) / 


\ 


5.4 


\ (-i s.wait A RA2 o RAl (true)) 


h 


/ 


RAl 


5.4 


/ © y ac ,(y-tr = s.tr A y.wait) \ 
A 

V ©l© y- wait Ay.tr = s.tr ) / 


\ (s 6 ac' <3 s.wait > (RA2 o RAl(/a/se =>• ac' 7 ^ 0))) ) ) 

{Predicate calculus} 
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= RA o A 


= RA o A 


/ 


/ -i (RA1 (false) ] A RAl(true)) 


\ 


A 


/ 


/ (e ) y ac ,(y.tr = s.tr A y.wait) \ 


RAl 


5.4 


A 


\ 


V (DL( - ' y- wait Ay.tr = s.tr) / 


\ (-1 s.wait A RA2 o RAl (true)) 




h 


/ 


(£) v ,(y.tr = s.tr A y.wait) \ 


RAl A 




D" ,(-n y.wait A y.tr — s.tr) ) 


iA 


( 


\ (s G ac' <3 s.wait > (RA2 o RAl(trae))) / 


/ -i (RAl (false) ' }A RAl (true)) 


{Theorem IT. 5.2. 21} 

\ \ 


A 


/ 


/ RAl ((G) y ,(y.tr = s.tr A y.wait )) \ 


A 


\ 


\ RA!((DL(- s/.iwazt Ay.tr = s.tr)) ) 


iA 


h 


/ 


\ (-i s.wait A RA2 o RAl (true)) 

/ RA1((g)^ c , (?/.tr = s.tr A ?/.watt)) \ 
A 

^ RAl((e)J c ,(n y.wait A y.tr = s.tr)) ) 


\ 


iA 


\ (s e ac' <3 s.wait > (RA2 o RAl (true))) / 


/ 

(Lemma IL.G. 7.151 } 
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/ 


= RA o A 


/ -i (RA1 (false) ] A RAl(irue)) 


A 


/ 


V 


/ © V c i(y-tr = s.tr A y.wait) \ 


A 


?£,(-. y.wait A y.tr = s.tr ) / 


5.4 


\ (-i s.wait A RA2 o RAl(irn)) / 




h 


/ / ( &f c ,(y.tr = s.tr A y.wait ) \ 

A 

(DL( - ' V-wait Ay.tr = s.tr ) / 


\ 


5.4 


/ 


= RA o A 


\ (sG ac' <3 s.wait > (RA2 o RAl(Jrae))) / 


/ -i (false ', A RA1( true)) 


{Lemma IL.G.1.91} 

\ \ 


A 


/ 


V 


/ ©IXy-tr = s.£r A y.wait) \ 


A 


V ©l© Ay.tr = s.tr ) / 


5.4 


\ (-i s.wait A RA2 o RAl(trwe)) / 


h 


( ( ©1 >(y- tr = s - tr A y-wait ) \ 


A 




V ©L© y- wait Ay.tr = s.tr) ) 


5.4 


/ 


\ (sG ac' < s.wait > (RA2 o RAl(true))) / 

{Lemma |L.F.1.1 and predicate calculus} 
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= RA o A 


= RA o A 


= RA o A 


/ 


E) y ,(y.tr = s.tr A y.wait) \ 


A 


\ 


V ©1© y-wait Ay.tr = s.tr) ) 




\ 


b 

/ 


\ (-■ s.wait A RA2 o RAl(t rue)) ) 


( ©lAy- tr = s ^ r a y- wa tt) \ 

A 

V ©1© y- wait A y.tr = s.tr) / 


>.4 




/ 


\ (s G ac' <3 s.wait > (RA2 o RAl (true))) / 

{Theorem IT.5.2.101 and Lemma IL.G.2.41 } 

/ / / © V ,{y-tr = s.tr A y.wait) \ \ \ 

A 

\ ©L© y- wait Ay.tr = s.tr) / 


>■4 


b 

/ 


\ (-■ s.wait A RA1 (true)) 

( ©©?/^ r = s, ^ r A y-wait) \ 

A 

D" y.wait A y.tr = s.tr) ) 




\ 


iA 


{Lemma IL.F.1.51} 


/ 


\ (s G ac' <3 s.wait > RAl (true)) ) 

( ( ©ac'iy-tr = s.tr A y.wait) ' A (~> s.wait A RAl (true)) \ \ 

A 

©;,(-- y.wait A y.tr = s.tr) ] A (-> s.wait A RAl(trae)) / 


b 


,{y.tr = s.tr A y.wait) (s G ac' <3 s.wait > RAl (true)) \ 


A 


V © 1 © y-wait A y.tr = s.tr) (s G ac' <3 s.wait t> RAl (true)) ) 

{Definition of (G©| 
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/ 


= RA o A 


( (3 y • y.tr = s.tr A y.wait A y G ac ') s.wait A RAl(frae)) \ 


A 


\ (3 y • -i y.wait A y.tr = s.tr A y G ac') (-< s.wait A RA1 (true)) / 


b 


/ (3 y • y.tr = s.tr A y.wait A y G ac') (s G ac' <3 s.wait > RAl(tr'ue)) \ 


A 


\ (3 y • -i y.wait A y.tr = s.tr A y G ac') ^ (s G ac' < s.wait > RA1 (true)) ) 
{Definition of ] A , substitution and property of sets} 


/ 


= RA o A 


/ (3 y • y.tr = s.tr A y.wait A -> y.wait A RAl(trae)[y/s]) \ 


A 


\ 


\ (3 y • -i y.wait A y.tr = s.tr A -i y.wait A RAl(trae)[y/s]) / 


b 


/ (3 y • (y.tr = s.tr A y.wait ) A (y G ac' < y.wait > RAl(true)[y/s]) \ 
A 

\ (3 y • (-i y.wait A y.tr = s.tr) A (y G ac' <\ y.wait > RAl(trae)[y/s]) / 
{Predicate calculus and property of conditional} 

/ / false \ \ 

A 


= RA o A 


\ (3 y • -i y.wait A y.tr = s.tr A -i y.wait A RAl(trae)[y/s]) / 


h 


/ (3 y • y.tr = s.tr A y.wait A y G ac') 


\ 


A 


= RA o A 


\ (3 y • -i y.wait A y.tr = s.trRAl(tr v ae)[y/s]) / 

{Predicate calculus} 

/ true \ 

h 

/ (3 y • y.tr = s.tr A y.wait A y G ac') \ 


A 


7 


= RA o A 


\ (3 y • -i y.wait A y.tr = s.trRAl(true)[y/s]) ) 

{Lemma IL. G. 1.1 Ol and substitution} 

/ true \ 

b 

/ (3 y • y.tr = s.tr A y.wait A y G ac') \ 


V 


A 


7 


\ (3 y • -i y.wait A y.tr = s.tr (3 z • y.st < z.tr A z E ac')) ) 

{Transitivity of equality} 
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APPENDIX G. REACTIVE ANGELIC DESIGNS (RAD) 


= RA o A 


= RA o A 


/ true \ 

b 

/ (3 y • y.tr — s.tr A y.wait A y E ad) \ 

A 

\ \ (3 y • -i y.wait A y.tr = s.tr( 3 z • s.st < z.tr A z G ac')) / / 

{Predicate calculus} 

/ true \ 

b 

/ (3 ?/ • y.tr — s.tr A y.wait A ye ac') \ 


A 


= RA o A 


\ (3 2 • s.st < z.tr A z E ad) 

( true 
b 

/ (3 y • y.tr = s.tr A y.wait A y E ac') \ 


{Lemma IL.G.l.lOl f 


V 


A 


7 


7 


\ RA1 (true) 

{Definition of (E)l c ,} 

RA o A (true b (e ) v ac ,{y.tr = s.tr A y.wait ) A RA1( true)) 

{Lemma IL. G.7.1 5~1 and Theorem IT. 5.2. 21} 

RA o A (true b (&f ,(y-tr = s.tr A y.wait) {Definition of ^o^rad} 

Stop-RAD 


□ 


G.8.8 Event Prefixing 

Theorem T.5.4.26 Provided P is a reactive angelic design, 


a ->rad Skip-RAD LIrad P 



( 

/ ( y.tr = s.tr A a ^ y.ref) \ 

RA o A 

true b (e)^, 

<?/.wazt> 


V 

^ ( y.tr = s.tr ^ (a)) / 


A (-, P\ =► P}) 


\ 


Proof. 


P 


a ^rad SkipRAn LIrad 


{Definition of prefixing} 
























G.8. OPERATORS 


669 



( 

( 

(y.tr = 

s.tr A 

a(fy. 

ref) \ 

\ 





RA o A 

true h 


<y.wait> 




Urad P 




V 


(y.tr = 

s.tr ^ 

(«)) 

) 

) 









{Assumption: 

P is RAD 

healthy} 



( 

(y.tr = 

s.tr A 

a(fy. 

ref) \ 

\ 





RA o A 

true h © y ac , 


<y.wait> 




Urad RA o A( 

- P f 

h pt t) 




(y.tr = 

s.tr ^ 

(«)) 

) 

) 













{Theorem 

[TIP 



( true V -i Pj 









\ 



h 












= RA o A 


V 


( 

/ (y.tr = s.tr A a f: y.ref) \ 

\ 


true =► (e) y ac , 

<y.wait> 


A (-. P f f => P}) 

V 

\ (y.tr = s.tr ^ (a)) ) 

) 

) 



( 

( (y.tr = s.tr A a ^ y.ref) \ 

RA o A 

true h (e) y ac , 



V 

^ (y.tr = s.tr ^ (a)) / 


{Predicate calculus} 

\ 

Pf f =► P }) 


n 


Relationship with CSP 

Theorem T.5.4.27 ac2p(a ->rad <S&*Prad) = cl — )-r Skip^ 


Proof. 


ac2p(a -> RAD SkipnAv) 
( 


= ac2p o RA o A 


{Definition of a — s-rad ®Prad} 

/ ( y.tr = s.tr A a ^ y.ref) \ \ 


true h (ef , 

v 'ad 


V 


/ 


R 


ac2p(false ) h ac2p 


<y.wait> 

\ (y.tr = s.tr"' (a)) )) 

{Theorem IT. 5.3. 21} 

/ / ( y.tr = s.tr A a ^ y.ref) \ \ \ 

(D„ c / 

\ \ (y.tr = s.tr''(a)) ))) 


{Lemma L.C.5.27 and predicate calculus} 
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APPENDIX G. REACTIVE ANGELIC DESIGNS (RAD) 



( 

( 

( (y.tr = s.tr A a ^ y.ref) \ 

\\ 

R 

true b ac2p 

(E? , 

NSac' 

<y.wait> 



V 

\ 

\ (y.tr = s.tr ^ (a)) } 

77 


R 


/ 


7 


( 


R 


/ 


R 


{Definition of (E) y , and conditional} 

(3 y • y E ad A y.wait A y.tr = s.tr A a ^ y.ref) \ \ 
true b ac2p | V 

(3 y • y e ac' A -i y.wait A y.tr = s.tr ^ (a)) / 

{Theorem IT. C.5.11} 

/ ac2p(3 y • y E ac' A y.wait A y.tr = s.tr A a ^ y.re/) \ \ 

V 

\ ac2p(3 y • y E ac' A y.wait A y.tr = s.tr ^ (a)) / 

{Lemma IL.C.5.211 } 

/ y.wait \ \\ 

A 

y.tr = s.tr 


true b 


7 


/ 


true b 


A 


State jj (ina-ok) / s 

undash(Stateu(outa_ 0 k')) / y 


\ a y.ref ) 


V 


\ 


/ -i y.wait 
A 

\ y.tr = s.tr ^ (a) ) L 

{Definition of State jj, undash and substitution} 


Statejj(ina_ 0 k) / s 

undash{Statejj{outoL- 0 k')) / y 


7 


/ 


R 


R 


true b 


true b 


V 


f (wait' A tr' = tr A a ^ ref) \ 
V 

^ (-■ wait' A tr' = tr (a)) / 

( (tr' = tr A a £ ref) \ ^ 
<\wait'\> 

\ (tr' — tr ^ (a)) )) 


\ 




{Definition of conditional} 


{Definition of Skipn} 


= a -> R Skipn 


□ 

Theorem T.5.4.28 p2ac(a —»r Skipn) = a — >rad Skip^AD 
Proof. 


p2ac(a — Skipn) 


{Definition of — Skipn} 
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= p2ac o R 


= RA o A 


= RA o A 


= RA o A 


= RA o A 


= RA o A 


= RA o A 


= RA o A 


= RA o A 


/ 

( (tr' = tr A a ^ ref) \ ^ 

true b 

<wait'> 

V 

^ (tr' = tr ~ (a)) / / 


{Theorem IT. 5.3. 41} 


/ (tr' = tr A a £ ref ) \ \ 


p2ac(false ) b p2ac 


<wait'> 

V = tr ~ (a)) / / 


{Lemma L.C.5.3 and predicate calculus} 
( ( tr ' = tr A a ^ ref) \ \ 


true b p2ac 


// 


true b p2ac 


<\wait > 

\ ( tr ' = tr ^ (a)) 

{Definition of conditional} 

/ (wait' A tr' = tr A a ^ re/') \ \ 

V 

^ (-i wait' A tr' — tr ^ (a)) ) ) 

{Theorem IT. 4.6. 11} 

p2ac(wait' A tr' = tr A a £ ref) \ \ 
true b | V 

p2ac(~< wait' A tr' — tr ^ (a)) ) ) 

{Definition of p2ac and substitution} 

/ ( (3 z • z.wait’ A z.tr 1 = s.tr A a ^ z.ref A undash(z) G ac') \ \ 

V 

\ (3 z • -i z.wait' A z.tr' = s.tr ^ (a) A undash(z) G ac') ) ) 

{Introduce auxiliary variable} 

/ / (3 z, y • z.wait' A z.tr' = s.tr A a ^ z.re/' A undash(z) = y A y G ac') 

V 

\ (3 z, y • -i z.wait' A z.tr' = s.tr ^ (a) A undash(z) — y A y G ac') 

{Property of undash and das/i} 


true b 


V 


true b 


V 


/ 


true b 


V 


/ (3 z, y • z.wait' A z.tr' = s.tr A a ^ z.ref A z = dash(y) A y G ac') \ ^ 
V 

\ (3 z, y • -i z.wait' A z.tr' = s.tr ^ (a) A z = dash(y) A y G ac') ) ) 

{One-point rule} 


/ 


(3 ?/ • dash(y).wait' A dash(y).tr' = s.tr A a ^ dash(y).ref A y G ac') 


true b V 


V 


(3 y • -i dash(y).wait' A dash(y).tr' = s.tr (a) A i/ G ac') 

{Property of das/i} 
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/ 

/ (3 y • y.wait A y.tr = s.tr A a y.ref A y G ac') \ 

\ 

RA o A 

trite h 

V 



V 

\ (3 y • -i y.wait A y.tr = s.tr ^ (a) A y G ac') / 

/ 


{Predicate calculus and definition of (e)^ ,} 


= RA o A 


= RA o A 


( ( ( y.wait A y.tr = s.tr A a ^ y.ref ) \ ^ 

Rue h © y ac , V 

\ V l -1 V-wait A y.tr = s.tr ^ (a)) ) ) 

{Definition of conditional} 

/ / ( y.tr = s.tr A a y.ref) \ \ 

true h (e)^, <y.w;att> 


V 


\ ( y.tr = s.tr ^ (a)) / 


/ 


{Definition of a ->rad Skip^ ad} 


— o. —>RAD Ski'PYlAT) 


_ 


Theorem T.5.4.29 Provided P is RAD -healthy, 
a ^RAD P 


( -i 3 y • y.tr = s.tr ^ (a) A -> y.wait A (RA2 o RAl(Pj ))[y/s] ^ 

h 


RA o A 


3y 


/ (y e ac' A y.tr = s.tr A a ^ y.ref) \ 

<y.watt> 

^ (y.tr = s.tr ^ (a) A (RA2 o RAl(Pj))[y/s]) / 


Proof. 


a —^rad P 

= a -’•RAD SkipnAD ] Vac P 


{Definition of a — S-rad P event prefixing} 


— a -Arad PP'Arad ; 


't'Dac 


{Assumption: P is RAD-healthy (Theorem T.5.2.20)} 
RA o A(-< Pj h Pj) {Definition of a — s-rad PP^rad} 
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/ 

/ 

/ (y.tr = s.tr A a ^ y.ref) \ 

\ \ 

RA o A 

trae h ©L 




V 

^ (y.tr = s.tr ^ (a)) / 

/ 


I'Dac 


\ RA O A(-1 pi h Pt) 




( 


= RA O A 


/ -i (RAl (false) ] A RAl(frue)) 


{Theorem IT.5.4.211 } 

\ \ 


A 


/ 


RAl 


iA 


/ ( y.tr = s.tr A a y.ref) \ \ 
<y.wait> 

y (y.tr = s.tr ^ (a)) 


\ 


)) 


\ (-> s.wait A RA2 o RA1(P{)) 


/ 


/ 


h 

/ 


RAl 




/ (y.tr = s.tr A a ^ y. ref ) \ \ 
<j/.u;a££> 

y (y.tr = s.tr"'(a)) )) 


\ (s G ad <\ s.wait t> (RA2 o RAl(-> Pj =A Pj))) ) 




f ^ 1 f> 

{Lemma IL.G.7.261 and Theorem IT. G. 1.11} 


/ 


= RA o A 


/ -i (RAl(/a/se) \ A RAl (true)) 


\ 


A 


/ 


/ (y.tr = s.tr A a f: y. ref ) \ 
<y.wait> 

y (y.tr = s.tr ^ (a)) 




iA 


h 


/ 


\ (-i s.wait A RA2 o RAl(P^)) 
(y.tr = s.tr A a ^ y. ) \ 

/ 


/ 


\ 


<?/.waz7> 

\ (y.tr = s.tr (a)) 


\ 


5.4 


\ (s G ac' <3 s.wait > (RA2 o RAl(-> Pj =$■ Pj))) ) 




{Lemma, IL.G.1.91} 
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= RA o A 


= RA o A 


/ 


/ -i (false ; 4 RAl(inte)) 


\ 


A 


/ 


V 

h 

/ 


( y.tr = s.tr A a y.ref) \ \ 

(DL [ <V-wait> 

( y.tr = s.tr ^ (a)) 


/ 


5.4 


\ (-i s.wait A RA2 o RA1(P()) ) 


( y.tr = s.tr A a ^ y.ref) \ 

(DL [ <V-wait> 

( y.tr = s.tr ^ (a)) 


iA 


\ (s G ad <3 s.wait > (RA2 o RAl(-> Pj => Pj))) J ) 

(Lemma L.F.1.1 and predicate calculus} 


( 


(e) , 

ac' 


lA 


( (y.tr = s.tr A a £ y. ref ) \ 
^ (y.tr = s.tr ^ (a)) ) 


\ 


\ 


h 


\ (-■ s.wait A RA2 o RA1(P^)) / 

(y.tr = s.tr A a y. \ 

/ 


<3?/. wait > 

\ (y.tr = s.tr ^ (a)) 


\ 


iA 


\ (s G ac' <3 s.wait > (RA2 o RAl(-> Pj =>■ P}))) / 


/ 


(Lemma IL. 0.7.271 } 
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= RA o A 


= RA o A 


= RA o A 


( ( ( y.tr = s.tr A a ^ y.ref) \ 

3 y • <\ y.wait> 

\ ( y.tr = s.tr ^ (a)) 


\ 


A 


\ 


\ (-■ s.wait A RA2 o RAl (Pj))[y/s] ) 


h 

/ 


v 


3 y 


A 


/ ( y.tr = s.tr A a ^ y. ref ) \ 
<y.wait> 

\ ( y.tr = s.tr ^ (a)) 


\ (s e ac! < s.wait > (RA2 o RAl(-> Pj =>• Pj)))[y/s] ) 


) 


( f ( y.tr = s.tr A a ^ y.ref) \ ^ 

3 y • <y.wait> 

\ ( y.tr = s.tr ^ (a)) ) 


A 


{Substitution} 

\ 


\ -■ y.wait A (RA2 o RAl (Pj))[y/s\ ) 


b 

/ 


3 y 


A 


/ (y.tr = s.tr A a ^ y. ref) \ 
< y.wait > 

\ ( y.tr = s.tr ^ (a)) ) 


\ 


) 


K \ (y G ac' < y.wait > (RA2 o RAl(-i Pj =>• Pj))[y/s]) / 

{Property of conditional and predicate calculus} 

^ -i 3 y • y.tr — s.tr ^ (a) A -> y.wait A (RA2 o RAl (P/))[y/s] ^ 

h 

(y G ac' A y.tr = s.tr A a ^ y.ref) \ 

3 y • | <y.waz't[> 


((RA2 o RAl(-i P f f => P*))[y/s] A y.tr = s.tr ~ (a)) 7 J 
{Definition of conditional and predicate calculus} 



APPENDIX G. REACTIVE ANGELIC DESIGNS (RADj 


^ 3 y • 

h 

f (3y« 

V 

3y • 

\ \ 

( -> 3y • 
h 

/ (3j/« 

V 

3?/ • 

V V 

/ -1 3 y • 
h 

/ (3 y • 

V 

3?/ • 

V V 

/ -> 3?/ • 
h 

/ (3 y • 

V 

(3 y • 
v 

V \ (3 3/ < 

/ 3 y • 

h 

( (3 y • 

V 

V \ (3y « 


y.tr = s.tr ^ (a) A y.wait A (RA2 o RAl(P{))[?//s] ^ 


y.wait A y £ ac' A y.tr = s.tr A a ^ y.ref) 


\ 


-i y.wait A (RA2 o RAl(-i Pj Pj))[?//s] 

A y.tr = s.tr ^ (a) I I 

{Predicate calculus} 

y.tr = s.tr ^ (a) A y.wait A (RA2 o RA1 (Pf))[y/s\ ^ 

* y.wait A y G ac' A y.tr = s.tr A a ^ y.ref) ^ 

-i y.wait A (RA2 o RAl(Pj V Pj))[y/s] 

A y.tr = s.tr ^ (a) J J 

{Theorems IT. 5.2. 31 and IT. 5.2. 71} 

y.tr = s.tr ^ (a) A y.wait A (RA2 o RA1 (Pf))[y/s\ \ 




y.wait A y G ac' A y.tr = s.tr A a ^ y.ref ) 


\ 


/ -i y.wait A \ 

(RA2 o RA1 (P f f ) V RA2 o RA1 (P}))[y/s] 

\ A y.tr = s.tr ^ (a) J J J 

{Property of substutiton and predicate calculus} 
y.tr = s.tr ^ (a) A -> y.wait A (RA2 o RA1 (Pf))[y/s] \ 

* y.wait A y G ac' A y.tr = s.tr A a ^ y.ref ) \ 


y.wait A y.tr = s.tr ^ (a) A (RA2 o RAl(Pj))[y/s]) 


* -> y.wait A y.tr = s.tr ^ (a) A (RA2 o RA1 (P}))[y/s}) J J 
{Definition of design and predicate calculus} 
y.tr = s.tr ^ (a) A y.wait A (RA2 o RA1 (Pf))[y/s\ \ 


y.wait A y G ac' A y.tr = s.tr A a ^ y.ref ) 


\ 


y.wait A y.tr = s.tr ^ (a) A (RA2 o RAl(Pj))[?//s]) / / 
{Predicate calculus and definition of conditional} 




























G.8. OPERATORS 


677 


/ -i 3 y • y.tr = s.tr ^ (a) A y.wait A (RA2 o RAl(.P{))[y/s] \ 


= RA o A 


h 




V 


(y € ac' A y.tr — s.tr A a ^ y.ref) 

3 y • | <y.w;ait> 

( y.tr = s.tr ^ (a) A (RA2 o RAl(Pj))[y/s]) / 


□ 


Lemma L.G.8.1 


ac2p(a — >rad CTiaosRAD Urad b — )-rad CTjciosrad) 


R(true h tr' — tr A u>azt' A a ^ re/' A b £ ref) 


Proof. 


ac2p(a ^rad CTmosrad Urad b ->rad C7ioosrad)) {Lemma IL.G.8.61} 

/ ^ ((DL( s -* r ~ (°) < y- tr ) A (§f a A s - tr ~ ( b ) ^ ^- tr )) \ 

h 

(G)^ , ((y.wait A a ^ y.ref) <3 y.tr = s.tr > (s.tr ^ (a) < y.tr)) \ 


= ac2p o RA o A 


A 


R 


V V © y a c'((y - waA b y.ref) <3 y.tr = s.tr > (s.tr ^ (6) < y.tr)) / 

{Theorem IT. 5.3. 21} 

/ “■ ac2p((&f ac ,(s.tr ~ (a) < y.tr) A ( ef ac ,(s.tr ~ (6) < y.tr)) \ 

h 

/ (&f ,((y.wait A a fi y.ref) <3 y.tr = s.tr > (s.tr ^ (a) < y.tr)) \ 


/ 


ac2p 


A 


/ 


R 


V (DL((t/-^ A b </ y.ref) <3 y.tr = s.tr > (s.tr ^ (6) < y.tr)) / 

{Lemma IL.G.7.131 and Theorems IT. G.5. 21 and IT. E.3.11} 

/ “■ ( ac 2p((&) v ac ,(s.tr ~ (a) < y.tr)) A ac2p((ef ac ,(s.tr ~ (6) < y.tr))) \ 

h 

/ ac2p((e) y ac ,(( y.wait A a fi y.ref) <3 y.tr = s.tr > (s.tr ^ (a) < y.tr))) ^ 

A 

\ ac2p((e) y ac ,((y.wait A b y.ref) <3 y.tr = s.tr > (s.tr ^ (b) < y.tr))) J 

{Definition of (e)^ , Lemmas L.C.5.21 and L.G.7.29} 




























678 
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/ 


R 


R 


R 


/ (s.tr ^ (a) < y.tr)[Stateii(ina._ 0 k),undash{Stateii{outa.- 0 k')) / s,y\ \ \ 

A 

\ (s.tr ^ (b) < y.tr)[Statejj(ina-ok), undash(Statejj(outa- 0 k>))/s, y\ ) 


b 


V 


/ (y.wait A a ^ y. ref ) \ 
<y.tr = s.tr> 
y ( s.tr ^ (a) < y.tr ) / 


\ 


[State jj (ina- 0 k), undash(Statejj (outa_ 0 k>))/s, y] 


A 


V 


/ (y.wait A b ^ y. ref) \ 
<y.tr = s.tr> 
y (s.tr ^ (b) < y.tr ) / 


[.Statejj (ina^ok), undash(Statejj (outa- 0 k>))/s, y] 

{Substitution} 

\ 


/ 


( -■ ((tr ^ (a) < tr') A (tr ^ (b) < tr')) 
b 

( ((wait' A a ref) < tr' = tr > (tr ^ (a) < tr')) ^ 

A 

\ \ ((wait' A b ^ ref) < tr' = tr > (tr ^ (b) < tr')) ) 

{Property of conditional} 

/ -■ ((tr ^ (a) < tr') A (tr ^ (b) < tr')) \ 
b 

/ (wait' A a ref A b ^ ref) \ 

<1 tr' = trO 


V 


{Property of sequences} 




R 


\ 


\ (tr ^ (a) < tr' A tr ^ (b) < tr') ) 

( -i false 
b 

\ (wait' A a ^ re/' A b ^ re/') < tr' = tr > false ) 

{Predicate calculus and property of conditional} 

= R(true b tr' = tr A watt' A a ^ re/' A 6 ^ re/') 


□ 


Lemma L.G.8.2 

ac2p(a — )-rad Stopn ad LJrad & ^rad S^Prad) 


a -> R Stopu U R & S'topR 
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Proof. 


ac2p{a ->rad StopuAD Urad b — )-rad Stop #, ad) 


{Definition of Urad and Theorem T.C.5.2 } 


/ ac2p(a t RA D Stop KAI) ) \ 
= A 

\ ac2p(b Urad Stop KAI) ) J 

( a —>r Stopn ^ 

= A 

\ b Stopn J 
= a -Ur Stopn Ur b -Ur Stop R 


{Lemma IL.G.8.41} 


{Definition of Ur} 


P 


Lemma L.G.8.3 


p2ac(a Stopu U R b Stop K ) 
( true 


= RA o A 


\ 


h 


\ 3 y • y.wait A y.tr = s.tr A a ?/.re/ A b ^ y.re/ A y E ac' ) 


Proof. 


p2ac(a -u R Stop-R U R & -u R Stop n ) 
( o, —>r Stopn \ 


{Definition of Ur} 


= p2ac 


A 


{Definition of prefixing and Lemma L.A.3.3} 

V b -Ur S'topR J 

R (true h wait' A ((a ^ re/' A tr' = tr ) V ( tr' = tr ^ (a)))) ^ 

= p2ac | A 

R(true h wait' A ((6 ^ re/' A tr' = tr) V (tr' = tr ^ (6)))) / 

{Distributivity of Rl, R2 and R3 through conjunction} 

/ ( true h wait' A ((a re/' A tr' = tr) V (tr' — tr ^ (a)))) \ 


= p2ac o R 


A 


\ (tree h wait' A ((& ^ re/' A tr' = tr) V (tr' = tr ^ (6)))) / 

{Conjunction of designs} 
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= p2ac o 


= p2ac o 


= p2ac o 


= p2ac o 


= p2ac o 


= RA o 


R 


R 


R 


R 


( (true V true) \ 

b 

( true =>• ( wait' A ((a ^ re/' A tr' = tr) V ( tr' — tr ^ (a)))) ^ 

A 

\ \ true =>■ (wait' A ((& ^ re/' A tr 1 = tr) V (tr’ — tr ^ (b)))) ) ) 

{Predicate calculus} 

/ true \ 

b 

(wait ' A ((a ^ re/' A tr' = tr) V (tr 1 = tr ^ (a)))) 

A 

\ \ (wait' A ((6 ^ ref A tr' = tr) V (tr' — tr ^ (&)))) / / 

{Predicate calculus} 

/ true \ 

h 

( ((wait' A a ^ re/' A tr' = tr) V (watt' A tr' = tr ^ (a))) \ 

A 

\ \ ((wait' A b ref A tr' = tr) V (watt' A tr' = tr ^ (b))) ) ) 

{Predicate calculus} 

/ true \ 

b 

( (wait’ A a ^ re/' A tr' = tr A wait ' A tr’ = tr ^ (b)) \ 

V 

(watt' A a ^ re/' A tr' = tr A wait' A b ref A tr' = tr) 

V 

(watt' A tr' = tr ^ (a) A wait' A b £ ref A tr' = tr) 

V 

\ \ (watt' A tr' = tr ^ (a) A watt' A tr' = tr ^ (6)) / / 

{Predicate calculus and property of sequences} 


/ true \ 

R b 

\ watt' A tr' = tr A a ^ ref A b ^ re/' / 

/ -i p2ac(false) \ 

V b 

\ p2ac(wait' A tr' = tr A a £ ref A b £ ref) J 


{Theorem IT. 5.3. 41} 


{Lemma L.C.5.3 and predicate calculus} 
























G.8. OPERATORS 


681 


/ true 


= RA o A 


\ 


b 


\ p2ac(wait' A tr' = tr A a ^ re/' A b ^ ref') J 

{Definition of p2ac and substitution} 

/ true \ 


= RA o A 


b 


= RA o A 


\ 3 z • z.wait' A z.tr' = s.tr A a ^ z.ref A b ^ z.re/' A undash(z) G ac' J 

{Introduce fresh variable ?/} 

/ true \ 

b 

/ z.wait' A z.tr' = s.tr A a ^ z.ref A b £ z.ref \ 


3 y,z 


V 


A 


\ y G ac' A undash(z) = y 






( true 
b 


= RA o A 


{Property of dash and undash} 

\ 


( z.wait' A z.tr' — s.tr A a £ z.ref A b £ z.ref \ 


3 y,z 


V 


A 


\ y G ac' A z = dash(y) 






{One-point rule and substitution} 


/ true 
b 


= RA o A 


/ dash(y).wait' A dash(y).tr' = s.tr A a dash(y).ref A b dash(y).ref 


3 y 


A 

\ y G ac' 


( true 


= RA o A 


{Property of dash} 

\ 


b 


\ 3 y • y.wait A y.tr = s.tr A a ^ y.ref A b ^ y.ref A y G ac' J 


□ 


Lemma L.G.8.4 ac2p(a Grad Stopn ad) = a -Gr Stop^ 


Proof. 


ac2p(a Grad Stop#, ad) 


{Lemma IL.G.8.1H } 
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= ac2p o RA o A 


/ true 
h 


\ 


R 


R 


R 


R 


V (^f a i(y- wa ^ A (( y.tr = s.tr A a ^ y.ref) V y.tr = s.tr ^ (a))) / 

{Theorem IT. 5.3. 21} 

/ -i ac2p(~< true ) \ 

h 

\ ac2p((fff ad (y.wait A ((y.tr = s.tr A a £ y.ref ) V y.tr = s.tr ^ (a)))) / 

{Predicate calculus and Le mm a lL.C.5.27) } 

/ true \ 

h 

\ ac2p((e) y ac ,(y.wait A ((y.tr = s.tr A a ^ y.ref) V y.tr = s.tr ^ (a)))) / 

{Lemma IL.G.7.31} 

/ true 

h 

/ y.wait \ 


A 


V 


/ 


\ 


[S'tate//(ma) / s] [undash(Statejj (outa_ 0 k '))/ y] 


/ 


/ (y.tr = s.tr A a ^ y.ref) \ 

V 

\ y.tr = s.tr ^ (a) 

{Substitution and value of record components} 

/ true \ 

|- {Lemma IL.A.3.31 } 


\ wait' A ((tr' = tr A a ^ ref) V tr' = tr ^ (a)) / 
= a -> R S'topR 


□ 


Properties and Examples 


Theorem T.G.8.7 Provided P is RAD -healthy, 


P Kac C'hao,S rad 
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/ / (RA1 (Pf) ; A RA1 (true)) 


RA o A 


\ 


A 


\ -i (RAl(Pj) ; A (-1 s.wait A RA2 o RAl(trae))) / 


b 

\ RAl(Pj) j A (s G ac' < s.wait > RA2 o RA1 (true)) 


\ 




Proof. 


P ; 'R.ac Chao shad 

= P ; 7 £ ac RA o A (false b true ) 


{Definition of Chao shad } 


{Assumption: P is RAD-healthy and Theorem T.5.2.20 }- 
= RA o A(-< Pj b Pf) ; 7 ^ ac RA o A (false b true) {Theorem IT. 5.4.211 } 

/ / -. (RA1 (P f f ) ; A RA1 (true)) \ \ 


= RA o A 


A 


\ -i (RAl(Pj) \ A (-i s.wait A RA2 o RAl(frue))) / 
b 

V RA1 (Pf) j A (s G ac! < s.wait > (RA2 o RAl(/a/se =>• true))) ) 


( 


= RA o A 


/ -i (RAl(Pj) \ A RAl(frue)) 


{Predicate calculus} 

\ \ 


A 


\ -i (RA1(P}) \ A (-i s.wait A RA2 o RAl(frae))) / 


b 


\ RAl(Pj) ] A (s G ac' < s.wait > RA2 o RA1 (true)) J 


O 


Theorem T.G.8.8 


/ (a) < z.tr) 


a -Grad ChaosnAD — RA o A 


\ 


b 


V (DI ,(y.wait A y.tr = s.tr A a ^ y.ref) / 


Proof. 

a -Grad Chaosn ad 
= a -Grad RA o A (false b true) 


{Definition of Chao shad } 
{Lemma IL.G. 8.101 } 
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/ 


= RA o A 


( ®ae>( S - tr ~ (°) - Z ' tr ) 


\ \ 


\ -i (3 ref • (RA2 (true))[{tr H > s.tr ^ (a), wait i—>• false, ref H > ref}/s ]) / 


b 


/ (E) y ac ,(y.wait A t/.fr = s.tr A a ^ y.ref) 

V 

/ (3 ref • RA2 (true)[{tr t-A s.tr ^ (a), wait H)■ false, ref H)■ re/}/s]) \ 


V 


A 


V (Dl'( s - tr ^ (°) < z - tr ) 

{Lemma IL. G.2. 2l and substitution} 
/ ((§)) c /(s.tr ^ (a) < z.tr ) =>• -< (3 re/ • true)) \ 


7 


/ 


= RA o A 


b 


V 


= RA O A 


/ ( E) y ,(y.wait A t/.fr = s.tr A a ^ y.ref) \ 
V 

^ ((3 ref • true) A (e)* c/ (s.£r ^ (a) < z.tr)) J 


\ 


/ 

(Predicate calculus} 


= RA o A 


7 - , (D* C fs.tr ^ (a) < z.tr) 
b 

E) y ac ,(y.wait A y.tr = s.tr A a y.ref) \ 

V 

V V ©L'( s ‘ tr ~ (°> ^ z - tr ) / / 

(Definition of design and predicate calculus} 

* " n (DL/( s - ir ~ ( a ) - z ' tr ) ^ 

b 

V (Dl fy-uiait A y.tr = s.tr A a £ y.ref) ) 


□ 


Lemma L.G.8.5 

a —>rad Chaos-R ad 

( ^© v a M tr ~ (°)<y-tr) ^ 

b 

V (Da C fy-uiait A y.tr = s.tr A a ^ y.ref) J 


RA o A 
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Proof. 


a — )-rad Chao Shad {Definition of prefixing} 

= a -Arad SkipnAD ]x>ac C^oosrad {Definition of prefixing and Chaosj^AG } 


/ 

/ 

/ ( y.tr = s.tr f\ a fi y.ref ) \ 

\ \ 

RA o A 

trae h (g)^, 

<]y.icatf[> 



V 

y ( y.tr = s.tr ^ (a)) / 

/ 


't'Dac 

\ RA o A (false h ac! 7 ^ 0) 


/ 


/ 


= RA o A 


/ -i (RAl(/a/se) RA1 (true)) 


{Theorem IT. 5.4.211 } 

\ \ 


A 


/ 


RAl 


iA 


t ( y.tr = s.tr A a ^ y.ref ) \ 
<]y.w;ait> 

^ ( y.tr = s.tr ^ (a)) 


\ 


\ 


\ (-i s.wait A RA2 o RAl(frn)) 


/ 


/ 


h 


/ / 


RAl 


5.4 


(e)L 


V 


/ ( y.tr = s.tr A a ^ y-ref) \ 
<y.wait> 

\ ( y.tr = s.tr ^ (a)) / 


\ 


/ 


7 


\ (s € ac' < s.wait > (RA2 o RAl (/a/se =>■ ac' + 0))) J 

{Lemma IL.G.7.151 } 
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APPENDIX G. REACTIVE ANGELIC DESIGNS (RADj 


= RA o A 


= RA o A 


/ 


/ -i (RA1 (false) ] A RAl(true)) 


\ 


A 



/ 

/ (y.tr = s.tr A a ^ y.ref) \ 

\ 

\ 


©L 

<y.wait> 

A s.tr < y.tr 


—1 

V 

\ (y.tr = s.tr ^ (a)) ) 




h 


/ 


(ef , 

ac 


^ (-1 s.wait A RA2 o RA1 (true)) 
( y.tr = s.tr A a ^ y.ref) \ 


\ 


<y.wait> 

( y.tr = s.tr ^ (a)) 


\ 


A s.tr < y.tr 


\ 


/ 


iA 


y (s € ac' <\ s.wait \> (RA2 o RA1 (false ac'^m ) 

{Property of sequences and conditional} 


/ 


/ -i (RAl (false) ] A RAl(inje)) 


\ 


A 


/ 


(D*, 


f (y.tr = s.tr A a ^ y. ref ) \ 
^ (y.tr = s.tr ^ (a)) / 




5.A 


\ (-i s.wait A RA2 o RAl (true)) / 


\ 


h 


/ 


©\ 

ac 


l (y.tr = s.tr A a ^ y. ref ) \ 
^ (y.tr = s.tr ^ (a)) ) 


\ 


’A 


\ (s E ac' <3 s.wait t> (RA2 o RAl(/a/se =>■ ac' ^ 0))) J ) 
{Predicate calculus and Theorem IT.5.2.101 and Lemma fL . G . 7.2 ll } 
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/ 


= RA o A 


/ -i (RA1 (false) RAl(irue)) 




A 


/ ( ( y.tr = s.tr A a ^ y. ref) \ \ 


<y.wait> 

\ (y.tr = s.tr ^ (a)) 


7 


lA 


\ (-i s.wait A RAl(true)) 




h 

/ 



/ (y.tr = s .i 

(e/ / 

vyac' 

<?/.u>a££> 


\ (y.tr = s .i 

u 



\ 


7 


\ (s e ad <3 s.wait > RAl (true)) ) 

( ( 


7 


{Lemmas L.F.1.1 and L.G.1.9 and predicate calculus} 


= RA o A 


©l 


iA 


/ ( y.tr = s.tr A a ^ y. ref) \ 
<y.wait> 

\ ( y.tr = s.tr ^ (a)) ) 


\ 


h 


\ (-i s.wait A RAl(true)) 

( ( y.tr = s.tr A a ^ y. \ \ 


\ 


7 


(e) , 


<y.wait> 

\ ( y.tr = s.tr ^ (a)) 


iA 


\ (s & ad <3 s.wait > RAl(frae)) / 


{Lemma IL.G.7.3T1 } 
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= RA o A 


= RA o A 


= RA o A 


= RA o A 


/ ( ( (e) y ,(y.wait A y.tr = s.tr A a ^ y.ref ) \ 

V 

\ (Dac'h y-wait A y.tr = s.tr ~ (a)) / 




>.4 


h 

/ 


\ (-■ s.wait A RAl(frae)) 

/ (E) y ac , (y.wait A y.tr = s.tr A a ^ y.ref) \ 
V 

\ ©L© y- wait A = s.tr'' (a)) / 




\ 




/ 


/ 


\ (s G ac’ < s.wait > RAl(true)) 

{Lemma IL.F.1.41} 

/ / (©„,(?/ -wait A y.tr = s.tr A a ^ y.ref ) (-< s.wait A RAl(tnxe))) \ 

-> V 

V (©L© y- wa ^ A © r = sdr ^ (a)) ;_4 (-1 s.wait A RAl(true))) / 
h 

/ (( ,(y-wait A y.tr = s.tr A a fi y.ref ) (s G ad <\ s.wait > RAl(in/e))) \ 

V 

V (© 1 © y-wait A y.tr = s.tr ^ (a)) (s G ac' <3 s.wait > RAl(true))) / 


\ 


/ 


{Lemma L.G.7.29, definition of and substitution} 

(3 y • y.wait A y.tr = s.fr A a ^ y.re/ A -> y.wait A RAl(irue)[?//s]) \ 
V 

(3 y • -i y.wait A y.tr = s.tr'' (a) A -> y.wait A RA1 (true)[y/s\) ) 


h 


/ (3 ?/ • y.wait A y.tr = s.tr A a y.ref A (y G ac' <3 y.wait > RAl (true)[y / s))) \ 

V 

\ \ (3 y • -i y.wait A y.tr — s.tr ^ (a) A (y G ad <3 y.wait > RAl(frue)[y/s])) / 

{Predicate calculus} 

/ —i (3 ?/ • —i y.wait A y.tr = s.tr ^ (a) A RAl(£rite)[?//s]) \ 

h 

/ (3 y • y.wait A y.tr = s.tr A a £ y.ref A y G ad) \ 

V 

\ \ (3 y • -i y.wait A y.tr — s.tr ^ (a) A RAl (true) [y / s]) J ) 

{Definition of design and predicate calculus} 
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/ -i (3 y • -i y.wait A y.tr = s.tr ^ (a) A RAl(trite)[y/s]) \ 


= RA o A 


b 


7 


\ (3 y • y.wait A y.tr = s.tr A a fi y.re/ A y G ac') 

{Lemma IL.G. 1.1 Ol and substitution} 



/ 

/ 

/ -i y.wait A y.tr = s.tr ^ (a) \ 

\ 

\ 


— I 

3 y • 

A 



RA o A 


V 

\ (3 z • y.tr < z.tr A z E ac') / 




b 

\ (3 y • y.wait A y.tr = s.tr A a ^ y.ref A y G ac') / 

{Introduce fresh variable t} 



/ 

/ 

/ y = t © {wait i-A false, tr i->- s.tr ^ 

<«>} y 

\ 


—1 

LU 

<?+■ 

• 

A 



RA o A 


V 

\ (3 z • y.tr < z.tr A z G ac') 

A 



b 


7 


\ (3 y • y.wait A y.tr = s.tr A a ^ y.ref A y G ac') 

{One-point rule, substitution and value of record component tr} 

/ -i (3 2 • s.tr ^ (a) < z.tr A z e ac') \ 


= RA o A 


b 


\ (3 ?/ • y.wait A y.tr = s.tr A a ^ y.re/ A y G ac') / 

{Rename variable, definition of (e)^ , and Lemma L.G.7.29} 

( -, (DL ,( s -tr'~'(a) < y.tr) 


= RA o A 


\ 


b 


V ,{y-wait A y.tr = s.tr A a y.ref ) ) 


□ 


Lemma L.G.8.6 


a ->rad O/iaosRAD Urad b —>rad Chao ah 


RA o A 


/ - 1 ((DL( s - ir ~ (°> ^ y - tr ) A (DL( s - tr ~ (*») < y-tr)) \ 

b 

E) y ,((y.wait A a £ y.ref) <3 y.tr = s.tr > (s.tr ^ (a) < y.tr)) ^ 

A 

V V (^fac'((y- wa ^ C b fi y.ref) < y.tr = s.tr > (s.tr ^ (6) < y.tr)) 7 / 
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Proof. 


a -Arad Chaos^AU Urad b -4rad Chao ad 
( [ ^© V ac ,{s.tr^ (a) <y.tr) 


{Lemma IL.G.8.51} 


RA o A 


u 


RA o A 


\ 


h 




V ©lAy- wait C V-tr = s.tr A a ^ y.ref ) / 

(b) <y.tr) ^ 

h 

V (^f a i(y- wa ^ A y.tr = s.tr A b ^ y.ref ) / 


/ / -> ©L( s - tr ~ (°) ^ y - tr ) ^ 

V 

v -, (DL( 5 -* r ~ ( 6 > ^ y- tr ) / 


= RA o A 


= RA o A 


{Theorem IT. 5.4. 41} 

\ 


h 


/ 


( ^© v a A s - tr ^ («) < y-tr) ^ 

=> 

V (? ') V ac i (y- wa it A y.tr = s.tr A a ^ y.ref) ) 


\ 


A 


/ -'©lAs-tr^ (b) < y.tr) 


\ 


\ \ \ © v ac ,(y.wait A y.tr = s.tr A b <£ y.ref) J ) ) 

{Predicate calculus} 

( ( © V a A s - tr ^ (a) < y-tr) \ \ 

A 


V ©Ic'A-tr ^ (b) < y.tr) ) 


h 

/ 


\ 


( ©lA s - tr ~ (a) < y-tr) 

V 

V (^f ,(y.wait A ?/.fr = s.tr A a £ y.ref) ) 


\ 


A 


( ©lA s - tr ^ A) < y-tr) 


\ 


V 


/ 


/ 


V (§)„ fy.wait A y.tr = s.tr A b fi y.ref ) / 

{Lemma IL.G.7.301 and definition of conditional} 
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( ^ ((DL( s -* r ~ ( fl ) - y - tr ^> A ©L'( s -^ r ~ (&) < y-tr )) ^ 

h 


= RA O A 


V 


l (DL X(y- wait A a ^ y.ref) < y.tr 
A 

V (Da ,{{y.wait A b ^ y.ref ) <3 y.tr 


s.tr > (s.tr ^ (a) < ?/.tr)) \ 
s.tr > {s.tr ^ (b) < y.tr)) ) 


/ 


□ 


Lemma L.G.8.7 

(a A'rad CTiaosRAD Urad b Arad CTmosrad) Drad ^Prad 


RA o A 


1 ^ ((DL( s - tr ~ ( a ) < y- tr ) A (DL( s - tr ~ ( 6 ) ^ y- tr )) ^ 

h 


V © V a ,(y- wa it A y.tr = s.tr A a fi y.ref A b <f y.ref) ) 


Proof. 

a Arad C7/,ao.sR A D U RA d b -Arad CTkzosrad) d rad ^°Prad 


{Lemma IL.G.8.61 and Theorem IT. 5.4.301 } 

l ~ 1 ((DL( s - tr ~ (°) ^ y- tr ) A ©lA s - tr ~ ( b ) ^ ?/-D>) \ 


= RA o A 


h 


/ / / ( y.wait A a fi y. ref) \ 

(§)L' <?/Tr = s.trO 

^ (s.tr ^ (a) < y.tr) ) 


3 2 


\ 


A 


vv 


/ ( y.wait A b £ y. ref) \ 
<\ y.tr = s.trO 
\ ( s.tr ^ (b) < y.tr) ) 


\ 


[{z)/ac'\ A z e ad 


/ 


/ 


/ 


{Definition of ©f ac ,, Lemma L.G.7.29} 
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= RA o A 


[ ((D lA s - tr ~ (°) ^ y - tr ) A ©lA s - tr ~ ^ y- tr )) 

h 

(( 


3 Z 


\ 


V 


vv 


( 

/ ( y.wait Ac© y.ref) \ 

\ 

\ 

\ 

3y 

<\y.tr = s.trO 

A y E ad 



A 

\ ( s.tr ^ (a) < y.tr ) y 

7 


[{z}/oc / ] A z E ad 

/ 

( ( y.wait A b </ y.ref) \ 

\ 



3 2/ • 

<\y.tr = s.tr\> 

A y E ad 



V 

\ ( s.tr ^ (b) < y.tr ) j 

J 

7 

7 


{Substituion, property of sets and one-point rule} 

l ^ ((DL( s - ir ~ (°) ^ y- tr ) A (Dl'( s - tr ~ < 6 > < y- tr )) \ 

h 

/ ^ ( z.wait A a ^ z. \ 

<\z.tr = s.tr\> 


= RA o A 


3z 


\ ( s.tr ^ (a) < z.tr) ) 


A 


V 


7 


/ ( z.wait A b ^ z. ref ) \ 

<\z.tr = s.tr> 

^ (s.tr ^ (b) < z.tr ) / 

A z & ac' 

(Property of conditional} 

7 -■ ((DL'( s - tr ~ (°> < y - tr ) A ©L0- ir ~ ^ ?/•©) \ 

p 


7 


RA 0 A 

/ 

/ ( z.wait A a ^ z.re/ A b ^ z.re/) \ 

\ 



3 z • 

<z.tr = s.trO 

A z E ad 



V 

\ (s.tr ^ (a) < z.tr A s.tr ^ (b) < z.tr ) j 

) 

7 


= RA o A 


= RA o A 


(Property of sequences} 

f - (©^(s-fr ~ (a) < y.tr) A ©j©s.tr ~ (b) < y.tr )) 
h 

^ 3 z • ^ ( z.wait A a z.ref A b </ 2 . re/) < z.tr = s.tr > false j Az£ ac'j ^ 

(Property of conditional} 

( ^ ((DL( s -* r ~ (°) < y - tr ) A © lA s - tr ~ © < y- tr )) ^ 

b 

\ (3 z • z.wait A y.tr = s.tr A a z.re/ At© z.re/ A z G ac') ) 


(Variable renaming, definition of ©^ , and Lemma L.G.7.29} 
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= RA o A 


( (© y a A s - tr ~ (°) ^ y - tr ) A ©L( s - tr ~ ( b) < y - tr )) ^ 

h 


V ©^ i(,y- wa, tt A y.tr = s.tr A a ^ y.ref A b ^ y.ref) ) 


Lemma L.G.8.8 


a —>RAD 5'tO/UiAD Urad b ->RAD StopuAD 


□ 


/ trite 


b 


RA o A 


V 


( ef ac ,(y.wait A ((y.tr 
A 

© v ac ,(y.wait A ((y.tr 


s.tr A a ^ y.ref) V y.tr = s.tr ^ (a))) \ 
s.tr Ab £ y.ref ) V y.tr = s.tr ^ ( b ))) / 


\ 


/ 


Proof. 


a ->rad /S'tojyRAD u b — t-rad 5'toy r( AD 

{ Lemma IL . G . 8 . 111} 


/ 

/ trite 

> 

\ 


RA o A 

b 




1 1 

V © v a c'(y- wait A ((y- tr = 

s.tr A a ^ y.ref) V y.tr = s.tr ^ (a))) y 



l_l 

/ true 

\ 



RA o A 

b 




V 

\ © V ac '(y- wait A ((y-tr = 

s.tr A b y.ref) V y.tr = s.tr ^ (b))) J 

) 




{Theorem IT. 5.4.ll) 


= RA o A 


/ trite V trite 
b 

/ (true =>- (&f ac ,(y.wait A ((y.tr 
A 

\ \ (true => ( e) v (y.wait A ((y.tr 


s.tr A a f: y.ref ) V y.tr = s.tr ^ (a)))) \ 

s.tr A & ^ y.ref) V y.tr = s.tr ^ (b)))) / 
{Predicate calculus} 


\ 


/ 


/ trite 
b 


/ (e) y ac ,(y-wait A ((y.tr 
A 


\ \ © V ac '(y- wait A ((y.tr 


s.tr A a fi y.ref) V y.tr = s.tr ^ (a))) \ 
s.tr A b y.ref) V y.tr = s.tr ^ (b))) ) 


\ 


/ 


RA o A 
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□ 


Lemma L.G.8.9 


(a -)-rad Skip r.ad) Urad (b -^rad 


CIkIGSrad) 


( a ^rad Skip rad) Urad (b -)-rad Choice rad) 


Proof. 

(a — s-rad SkipRAD) Urad (b -)-rad ChaosR A D ) 


(Definition of a —>■ Skip and Lemma L.G.8.14 [ 


/ 

( 

( ( y.tr = s.tr A a ^ y.ref) \ 

\ 

RA o A 

true h (§)^ 

<y.wait> 



V 

\ ( y.tr = s.tr ^ (a)) y 

7 

u 

7 ^(Dac'( S - tr 

) 

IA 

c~+- 

-i 


RA o A 

h 



V 

V (Da ,(y- wa >it A y.tr = s.tr A b ^ y.ref) ) 





{Theorem IT. 5.4. 11} 


( true V -i (fCf ac ,{s.tr ^ (b) < z.tr) 

h 

/ / (y.tr — s.tr A a ^ y.ref) \ 


= RA o A 


\ 


true => (ef , 


\ 


7 


<y.wait > 

\ ( y.tr = s.tr ^ (a)) 

A 

V © Z ac X s - tr ~ (6) < z.tr) =► (e) y ac ,(y.wait A y.tr = s.tr A b (£ y.ref) ) 

(Predicate calculus} 
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= RA o A 


\ 


= RA o A 


/ true 

h 

/ / ( y.tr = s.tr A a ^ y.ref) \ 

(DL 

^ ( y.tr = s.tr ^ (a)) ) 

A 

V V (Dl'( s - ir ~ ( & ) ^ z - tr ) v (DL ,{y-wait A y.tr = s.tr A b (£ y.ref ) / 

{Predicate calculus and Lemma IL.G. 7.301} 

/ true \ 

h 

/ (G)^ c ,((y.tr = s.tr A a ^ y.ref) <\ y.wait > (y.tr = s.tr ^ (a))) \ 




V 


RA o A 


u 


A 


/ 


V ©oc'(( S- ^ r ^ (^) — z -t r ) v ( y.wait A y.tr = s.tr A b f: y.ref)) ) 

{Theorem IT. 5.4. 11} 

/ true \ \ 

h 

V (D^ c ,((?/Tr = s ^ r ^ a ^ ?/- re /) <1 y-wait > ( y.tr = s.tr ^ (a))) / 


RA o A 


/ true 

h 


V 




V ©lA( s - tr ^ (^) — z ^ r ) v (y-wait A y.tr = s.tr A b ^ y.ref)) ) 
{Definition of a —» STay and Lemma [L .G.8.14 } 

= (a —tRAD Skip rad) LJrad (& — ^rad Choice rad) 


□ 


Lemma L.G.8.10 Provided P is RAD -healthy, 


a ->RAD -P 
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/ 


RA o A 


( © Z aA S - tr ~ (°) ^ Z - tT ) 


\ \ 



/ 

f tr \-A s.tr ^ (a), 'l 

\ 


—1 

3 re/ • (RA2(P/)) 

< wait i—>• false , Ws 



V 

V 

. 1 ref ^ ref j 

J 

) 


h 


/ (E) y ac fy .wait A y.tr = s.tr A a y.ref) 


V 


/ 


A 


V ©lA s - tr ^ ( fl ) ^ z - tr ) 


\ 


( 

r tr i—>• s.tr ^ (a), 'l 

\ 

\ 

3 re/ • RA2(Pf) 

< wait (->■ false, > /s 



V 

. 1 ref ref J 

J 



Proof. 


a — )-rad P {Assumption: P is RAD-healthy and Theorem |T. 5.4.29' f 

( -> 3 y • y.tr = s.tr ^ (a) A -> y.wait A (RA2 o RAl (Pj))[y/s\ \ 


= RA o A 


h 


3 y 


( (y € ad A y.tr = s.tr A a fi y.ref) 


\ 


= RA o A 


<y.u>att> 

V V ((RA2oRAl(P‘))[j// S ] A y.tr = s.tr ^ (a)) J J 

{Definition of conditional and predicate calculus} 

-i 3 y • y.tr = s.tr ^ (a) A -> y.wait A (RA2 o RAl(Pj))[y/s] ^ 

h 

/ (3 y • y.wait A y E ad A y.tr = s.tr A a ^ y.ref) \ 


V 


V 


\ (3 y • -i y.wait A (RA2 o RAl(Pj))[y/s] A y.tr = s.tr ^ (a)) / 

{Property of records} 




























G.8. OPERATORS 


697 


/ 


= RA o A 


= RA o A 


= RA o A 


3 y, ref 


/ y = {tr (-)■ s.tr ^ (a), wait H>■ false , re/ h->■ re/} \ 


A 


V (RA2oRA1(P/))[ 2 ,/s] 


\ 


/ 


h 


/ 


/ (3 y • y.wait A y E ac' A y.tr = s.tr A a ^ y.ref) \ 

V 

/ ?/ = (tr i—>■ s.tr ^ (a), wait t-A false, ref t-A re/} \ 

3 y, ref • A 

V \ (RA2 o RAl(Pj))[?//s] / / y 

(Lemma IL.G. 1.331 } 

/ y = (tr (-)■ s.tr ^ (a), wait H)■ false, ref H)■ re/} \ \ 


3 y, re/ 


A 


^ (RA2(P^) A (3 z • s.tr < z.tr A z E ac'))[?//s] / 


h 


/ (3 y • y.wait A y E ac' A y.tr = s.tr A a ^ y.ref) 


\ 


V 


3 y, ref 


( y = {tr i—)■ s.tr ^ (a), wait t-A false, ref t-A re/} \ 


A 


/ RA2(Pr) 


\ 


A 




/ 




/ 


3 y, ref 


\ (3 z • s.tr < z.tr A z E ac') J 

{Substitution} 

/ y — {tr i—» s.tr ^ (a), watt i—> false, ref i—> re/} \ \ 

A 

^ (RA2 (Pf)[y/s\ A (3z • y.tr < z.tr A z E ac')) J 


h 


/ (3 y • y.wait A y E ac' A y.tr = s.tr A a y.ref) 

V 

/ y = {tr i-> s.tr ^ (a), wait i—» false, ref (->■ re/} \ 
A 

\ 


\ 


3 y, ref 


V 


V 


/ RA2 (Pj)[y/s\ 

V 3*. 






y.tr < z.tr A z E ad) ) 

(One-point rule, substitution and value of record component tr} 


7 
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= RA o A 


= RA o A 


= RA o A 


/ 


/ (RA2 (Pf))[{tr i -A s.tr ^ {a), wait t-A false, re/ (->• re/}/s] \ 


3 ref 


A 


\ (3 z • s.tr ^ (a) < z.tr A z E ac') 


\ 


) 


h 


/ 


^ (3 y • y.wait A y E ac' A y.tr = s.tr A a ^ y.ref) 

V 

( RA2(P})[{ tr h-> s.tr ^ (a), wait \-A false, ref t-A re/}/s] ^ 

3 re/ • A 

\ \ (3 z • s.tr ^ (a) < z.tr A z E ad) ) 

{Predicate calculus} 

/ (3 re/ • (RA2(P())[{tr i -A s.tr ^ (a), wait (->• false, ref i—> re/}/s]) \ 


A 


\ (3 z • s.tr ^ (a) < z.tr A z E ad) 


\ 


) 


h 


^ (3 y • y.wait A y E ad A y.tr = s.tr A a ^ y.ref) 

V 

^ (3 re/ • RA2(P})[{ tr (->• s.tr ^ (a), wait (->• false, ref t-A re/}/s]) \ 


A 


/ 


\ (3 z • s.tr ^ (a) < z.tr A z E ad) 

{Predicate calculus and definition of (e)* J ,} 

/ © z a A s - tr ~ ( a ) < z - tr ) \ \ 


) 



( 

f tr t-A s.tr ^ (a), 1 

\ 


—1 

3 re/ • (RA2(P/)) 

< watt i-A false, > /s 



V 

V 

\ ref (->• ref ) 

) 

) 


h 


/ (§ ) V ac ’(y■ wa ^ A y.tr = s.tr A a ^ y.ref) 
V 




( 

( 

( tr t-A s.tr ^ (a), 1 

\ 

\ 


3 ref • RA2(Pj) 

< wait i-A false, > /s 




V 

( ref H- ref ) 

) 



A 


E) z (s.tr ^ (a) < z.tr) 


□ 
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Lemma L.G.8.11 


a ^RAD StOpTlAD 


RA o A 


/ true \ 

h 

V ©lAy- wait A ((?/- ir = s -^ r A a y.ref ) V y.tr = s.tr ^ (a))) / 


Proof. 


a — )-rad Stop-RAD {Definition of StopnAn and Lemma |L.G.8.10|} 

( ( © Z ac '( s - tr ~ ( a ) ^ z - tr ) 


= RA o A 


\ 


/ 


V 


3 ref • RA2 (false) 


V 


fr (-)■ s.tr ^ (a), 
waft i—> false, 
ref i—^ re/ 


h 


/ (e)^ ,( y.wait A ?/.fr = s.tr A a ^ y.ref) 
V 

/ / 


3 re/ • RA2 


V 

A 

V ©L'( s - ir " ( a ) ^ z - tr ) 


\ 


J/ 


/ 

/ y.wait \ 

\ 



A 



r l 

© y , 

y.tr 




V 

\ s.tr / 

J 


L v 


fr i— y s.tr ^ (a), 
wait t-A false, 
ref (->• ref 


{Lemma L.G.2.4 and predicate calculus} 
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/ / (D Z ac ,(s.tr ~ (a) < z.fr) ^ 
=>- 

\ true 


= RA o A 




/ 


b 


/ ((&) y a ,(y.wait A t/.fr = s.tr A a ^ y~ref) 
V 

/ / ( ( y.wait \ \ 


\ 


\ 


\ 


3 re/ • RA2 


A 

y.tr 


\ s.tr ) ) 


\ 


tr i y s.tr ^ (a), 
wait t-)- false, 
ref t-)- ref 


\ 


A 


\ 0L'( s - tr " («) ^ z - tr ) 


{Predicate calculus} 


= RA o A 


/ true 
b 

/ (&) y ,(y.wait A y.tr = s.tr A a ^ y.ref) 

V 

/ / ( ( y.wait \ 

3 re/ . RA2 (ef , 


\ 


V 


\ 


V 


A 


\ y.tr = s.tr ) ) 


A 


V 0L'( s - tr " ( fl ) ^ z - tr ) 


tr i—> s.tr ^ (a), 
wait t-)- false, 
ref (->■ ref 


{Lemma IL.G.7.441 } 




J/ 


\ 


= RA o A 


/ true 
b 

/ (&) y ,(y.wait A y.tr = s.tr A a ^ y.ref) 
V 

/ / 

3 ^/ • ©L 


\ 




V 


( y.wait \ 


( tr i-A s.tr ^ (o), "j / 

\ 

\ 

A 


< wait H>• false, > / s 



\ y.tr = s.tr J 


y ref i— > re/ J ' 

J 



A 


?) ac ,(s.tr ^ (a) < z.tr) 

{Definition of (&f ,, substitution and value of component tr} 
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= RA o A 


/ true 
b 

/ (E) y ac ,(y.wait A y.tr = s.tr A a y.ref) 

V 

/ (3 re/ • (fAj y ac ,(y .wait A y.tr = s.tr ^ (a 


\ 


V 


\ 


V 


A 


V © z a A s - tr ^ (°> - z - tr ) 


/ 


/ 


/ 


= RA o A 


{Predicate calculus: re/ not free} 

\ 


V 


/ 


/ 


/ 


= RA O A 


/ true 

b 

/ ( E) y ac ,(y.wait A y.tr = s.tr A a ^ y-ref) \ 

V 

E) v ac ,(y.wait A y.tr = s.tr ^ (a) 

A 

V © z a A s - tr ~ A) ^ z - tr ) 

{Definition of (e)^ , and predicate calculus} 

/ true \ 

b 

ef) y ac ,(y.wait A y.tr = s.tr A a ^ y.ref) \ 

V 

V (DL Xy- wait A y- tr = s - tr ~ («)) 

{Definition of (e,, Lemma 

/ true 


/ 


/ 


L.G.7.30 


= RA o A 


and predicate calculus} 

\ 


b 


V ©lAy- wait A = s -t r A « ^ y-ref) V y.tr = s.tr ^ (a))) ) 


□ 


Lemma L.G.8.12 


^rad S^Prad) LJrad SkipnAn 


( true 
b 


RA o A 


\ 


E) y ,(y.wait A ((y.tr = s.tr A a ^ y.ref) V y.tr = s.tr 


A 


V (DL y- wait A y.tr — s.tr) 
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Proof. 


(a ^RAD St°PR,AL>) UraD SkipuAD 


( 


RA O A 


U 


{Definition of SkipnAD and Lemma L.G.8.11 }• 

\ \ 


/ true 
b 

V © y .(y-vait A ((y.tr = s.tr A a ^ y.ref ) V y.tr = s.tr ^ ( a ))) ) 


/ 


= RA o A 


\ RA o A (true b (§)^ c ,( - ' y.wait A y.tr = s.tr)) 

{Theorem IT. 5.4. 11} 

/ true V true 

b 

/ (true =>- (E) v ac ,(y.wait A ((y.tr = s.tr A a ^ y.ref) V y.tr = s.tr ^ (a)))) 
A 

\ \ (true =>■ y.wait A y.tr = s.tr)) 

{Predicate calculus} 

/ true \ 

b 

/ (E) y ,(y.wait A ((y.tr = s.tr A a fi y.ref) V y.tr = s.tr ^ (a))) \ 

A 

V V (DLh y- wait A v- tr = s - tr ) / / 


= RA o A 


□ 


Lemma L.G.8.13 


((a ^rad StopRAo) U RAD S'^rad) ) 'x>ac A7iaO,SR A D 


a ->RAD StopuAD 
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Proof. 

((« ^RAD StopuAT)) UraD '^*PRAD) ]x>ac ChaOS^AD 


{Lemma IL.G.8.121 and Theorem IT. G.8.71} 


/ 


= RA o A 


/ -i (RAl(false) ] A RAl(frue)) 


A 



( 

( 

( 

/ (y.tr = s.tr A a ^ y-ref) \ 

\ 



(ej- y , 

v— 'ac' 

y.wait A 

V 



RA1 


V 

y ( y.tr = s.tr ^ (a)) ) 

7 

— 1 


A 






©1 ,( 

-i y.wait A 

y.tr = s.tr) 



\ 


’A 


\ (-i s.wait A RA2 o RAl(hue)) 


h 

/ 



/ 

/ 

/ ( y.tr = s.tr A a ^ y.ref) \ \ 



y.wait A 

V 

RAl 


V 

\ (y.tr = s.tr"'(a)) )) 


A 




1©L( 

-i y.wait A y.tr = s.tr) 


\ 




7 


5A 


7 


\ (s e ac' <3 s.wait > RA2 o RAl(im)) 

{Predicate calculus and Lemma IL.G. 7.301} 
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= RA o A 


= RA o A 


/ 


/ -i (RA1 (false) ] A RAl(true)) 


\ 


A 


/ 


/ / (E) y ac ,(y.wait A y.tr = s.tr A a ^ y.ref) \ 


RAl 


V 


(e) y ac , (y.wait Ay.tr = s.tr ^ (a)) 


\ 


A 


\ (DL(- y.wait Ay.tr = s.tr ) 


\ 


’.A 


h 


\ (-1 s.wait A RA2 o RAl(t rue)) 


( (^fac'^y- wa ^ A y.tr = s.tr A a ^ y.ref) \ 




RAl 


V 


\ 


V ©L ,(y-wait A y.tr = s.tr ~ (a)) ) 


A 


V (DL(^ y- wait A y.tr = s.tr) 


\ 


/ 




/ 


/ 


\ (s e ac' <3 s.wait > RA2 o RAl (true)) 

{Theorems IT. 5.2. 21 and IT. 5.2. 31} 

( ( ~ 1 (RAl (false) ] A RAl (true)) \ \ 


A 


/ 


V 


/ 


/ RAl ((€) y ac ,(y.wait A y.tr = s.tr A a ^ y.ref)) \ 


V 


V RAl (@ ac ,(y- wait A y.tr = s.tr'' (a))) 


\ 


A 


\ RAi((e); c ,(n y.wait A y.tr = s.tr)) 


\ 


iA 


\ (-i s.wait A RA2 o RAl(true)) 


h 


( ( ( RAl ((e)^ , {y.wait A y.tr = s.tr A a <£ y.ref)) \ 
V 

V RAl ((ef ac ,(y.wait A y.tr = s.tr ~ (a))) 

A 


\ 


\ RA!((|)^ c ,(-. y.wait A y.tr = s.tr)) 


\ 


iA 


\ (s € ac' <3 s.wait > RA2 o RAl(true)) 


/ 

{Lemma IL.G. 7.151 } 
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/ 


= RA o A 


/ -i (RA1 (false) RAl(irue)) 


A 


/ 


/ / (E) y acl (y.wait A y.tr = s.tr A a ^ y.re/ A s.tr < y.tr ) \ 


V 


(ef c ,(y. wait A y.tr = s.tr ^ (a) A s.tr < y.tr) ) 


A 


V ©1© U-wait A y.tr = s.tr A s.tr < y.tr ) 


\ 




h 


\ (-i s.wait A RA2 o RA1 (true)) 

G) y ,(y.wait A y.tr = s.tr A a ^ y.re/ A s.tr < y.tr ) \ 


V 


\ 


V ©L(y- waz 't ^ y^ r = s ^ r ^ (°) ^ s -^ r — y-^ r ) J 


A 


V ©1© y-wait A y.tr = s.tr A s.tr < y.tr) 


\ 


7 




\ \ (s 6 oc' O s.wait > RA2 o RAl(trn)) / 

{Property of sequences and predicate calculus} 
( ( * (RAl(/a/se) RA1(true)) \ \ 


= RA o A 


A 


/ 


/ 


G) y fy.wait A y.tr = s.tr A a ^ y.ref ) \ 


V 


V ©1 ,(y.wait A y.tr = s.tr ~ (a)) 


\ 


A 


\ ©^ c © a y.tr = s.tr) 


\ 


>.4 


h 


/ 


\ (-i s.wait A RA2 o RA1( true)) 

f (E) y ac ,(y.wait A y.tr = s.tr A a ^ y.ref) \ 
V 

\ © y ac ,(y-wait A y.tr = s.tr ~ (a)) 




A 


\ ©L© y-wait Ay.tr = s.tr ) 


\ 


/ 


>.4 


/ 


\ (s G ac' < s.wait > RA2 o RAl(trn)) 

{Theorem IT. 5. 2.101 and Lemma I L. 0.2.41 } 
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= RA o A 


/ 


/ -i (RA1 (false) ] A RA1 (true)) 


\ 


A 


/ 


/ 


/ (E) y ac ,(y.wait A y.tr = s.tr A a ^ y.ref) \ 


V 




V © v ac ,(y- wait A sz-fr = s - ir ~ («)) / 


A 


V ©1© V- wait A y.tr = s.tr ) 


’.A 


h 


\ (-1 s.wait A RAl(irue)) 

G)' y ,(y.wait A y.tr = s.tr A a ^ y.ref) \ 


\ 


/ 


V 


\ 


V (§f aC '(y- wait A ?/- ir = s - tr ~ («)) / 


A 


V © 1 © y-wait Ay.tr = s.tr ) 


\ 


:.A 


\ (s € ac' <\ s.wait > RAl(trae)) 


/ 


/ 


{Lemmas IL.F.1.41 and IL.F.1.51} 
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/ 


= RA o A 


/ -i (RAl (false) RAl (true)) 


\ 


A 


/ 


/ 


&) y ,(y.wait A y.tr = s.tr A a ^ y.ref) \ 


M 


\ (-■ s.wait A RAl (true)) 


V 


/ © V ac Xy-wait A y.tr = s.tr ~ (a)) \ 


’A 


A 


V(- s.wait A RAl(true)) 
e/ ,(-i y.wait A y.tr = s.tr ) \ 


\ 


5.4 


h 


/ 


V G s.wait A RAl(frue)) / 

,(y.wait A y.tr = s.tr A a ^ y.ref) \ 


\ 


iA 


\ (sG ac' <1 s.wait > RAl(true)) 




V 


/ (DL '(y- wait A y- tr = s - tr ~ («)) \ 


’A 


A 


V(» G ac’ < s.wait > RAl (true)) ) 
,(-i y.wait A y.tr = s.tr ) \ 




M 


/ 


\ (sG ac' <1 s.wait > RAl(frae)) / 

{Definition of ©L, u and property of sets} 
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= RA o A 


/ 


/ -i (RAl (false) RAl (true)) 


\ 


A 


/ 


/ 


/ y.wait A y.tr = s.tr A a ^ y.re/ \ 


3?/ 


V 


3 ?/ 


A 


\ 


\ -i y.wait A RAl (true) [y/s] J 
( y.wait A y.tr = s.tr ^ (a) \ 


A 

y -i y.wait A RAl (true) [y/s] / 




/ 


A 


3y 


/ -i y.wait A y.tr = s.tr \ 
A 

y -i y.wait A RAl(irue)[?//s] ,/ 




h 


/ 


/ 


3y 


V 


3y 


/ y.wait A y.tr = s.tr A a ^ y.re/ 

A 

V (y G ac' <1 y.wait > RAl(frue)[y/s]) ^ 


{y.wait A y.tr = s.tr ^ (a)) \ 

A 

(y G ac' < y.wait > RAl(true)[y/s}) ) 


\ 


A 


3 ?/ 


y.wait A y.tr = s.tr ) 


\ 


A 


/ 


I 


(■y G ac' < y.wait > RAl(irue)[!//s]) / 

{Predicate calculus and property of conditional} 
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/ 


= RA o A 


/ -i (RA1 (false) RAl(irue)) 


\ 


A 


V 


/ / 3 y • (false) \ \ 

V 

\ 3 ym (false) ) 

A 

\ (3 y • -i y.wait A y.tr = s.tr A RAl(trrte)[y/s]) ) ) 


\ 


h 


( ( (3 y • y.wait A y.tr = s.tr A a y.ref A y G ac') \ \ 
V 

(3 y • y.wait A y.tr = s.tr ^ (a) A y G ac') 


V 


/ 


A 


/ 


/ 


\ (3 y • -i y.wait A y.tr = s.tr A RAl(trae)[?//s]) 

{Definition of (e)^ , and predicate calculus} 


/ / -i (RAl(/atse) RAl(irue)) ^ 
A 

\ -i false 

h 


= RA o A 


\ 


/ / (e) 27 , (y.wait A y.tr = s.tr A a ^ y.ref) \ 


V 


( ef ac ,(y.wait A y.tr = s.tr ~ (a)) 


\ 


/ 


A 


/ 


= RA o A 


\ (3 y • -i y.wait A y.tr = s.tr A RAl(trae)[?//s]) / 

{Lemmas L.F.1.1 and L.G.1.9| and predicate calculus} 

/ true \ 

h 

/ / (e) 2/ c , (y.wait A y.tr = s.tr A a ^ y.ref) \ \ 

V 

(e) y ac ,(y.wait A y.tr = s.tr ~ (a)) 


V 


/ 


A 


/ 


\ (3 y • -i y.wait A y.tr = s.tr A RAl(tnxe)[y/s]) / 

{Lemma IL. G. 1.1 Ol and substitution} 
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= RA o 


= RA o 


= RA o 


= RA o 


= RA o 


/ true 
h 

( ( 002 /■ wa ^ A y.tr = s.tr A a ^ y.ref) \ \ 

V 

\ ( ef ac ,(y.wait A y.tr = s.tr ~ (a)) / 

A 

y y (3 y • -i y.wait A y.tr = s.tr A 3 2 • y.tr < z.tr A z G ac') ) ) 

{One-point rule} 

/ true \ 

h 


/ / (e)^ , {y.wait A y.tr = s.tr A a ^ y.ref) \ 
V 

\ 002/™t A y.tr = s.tr ~ (a)) 


V 




A 


\ (3 z • s.tr < z.tr A z E ac') 


( true 
h 

/ / (E) y ac ,(y.wait A y.tr = s.tr A a y.ref) \ 
V 

\ (§)* ,(y.wait Ay.tr = s.tr ~ (a)) 


V 


/ / 

{Lemma IL.G.l.lOl } 

\ 


\ 


A 


\ RAl(t 


rue 


/ 


/ 


{Lemmas L.G.1.35 and L.G.7.15 and predicate calculus} 

/ true \ 

h 

/ (e)^ , (y.wait A y.tr = s.tr A a ^ y.ref) \ 

V 

\ 0 l c ,{y.wait A y.tr = s.tr ~ (a)) 


( true 
h 


/ 


/ 


{Lemma L.G.7.25 and predicate calculus} 

\ 


V 0^ fy.wait A (y.tr = s.tr A a ^ y.ref) V y.tr = s.tr ^ (a)) J 

{Lemma IL.G.8. 1 fl } 


a -tRAD StopjiAD 
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□ 


Lemma L.G.8.14 

a — >rad ChoiaiiXD 


RA o A 


/ true 
b 

V © y ac >((y- wait A y- tr 


s.tr A a ^ y.ref ) V (s.tr ^ (a) < y.tr)) 


\ 


Proof. 


a —)-rad Choice rad {Definition of Choice^pco and Lemma |L.G.8.10|} - 

( ( (e) Z n ,{s.tr^ (a) < z.tr) \ \ 


= RA o A 


b 


(3 ref • (RA2 (false)) 


V 


tr i—^ s.tr ^ (a), 
wait t—)■ false, > / s 

ref (->• ref 


( © V ac '(y- wa tt C y.tr = s.tr A a ^ y.ref) 


\ 


V 


/ 


(3 re/ • RA2(ac' 7 ^ 0) 


tr t—)■ s.tr ^ (a), 
wait (->• false, > / s 

ref 1 —^ ref 


\ 


A 

V ©L'( s - ir " ( a ) ^ z - tr ) 


/ 


/ 




{Lemma, L.G.2.4 and predicate calculus} 
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/ 


= RA o A 


( (Dl'( s - tr ~ (°) < z - tr ) \ 


\ -■ (false) 


\ 


7 


h 


/ (E) y ac ,(y.wait A y.tr = s.tr A a ^ y.re/) 
V 


V 


\ 


/ 


V 


(3 re/ • RA 2 (ac' 7 ^ 0) 


tr t-A s.tr^ (a), 
wait (->• false, 
ref t-A ref 


\ 


A 


\ © Z ac'( S - tr ^ <°> ^ ^ 


7 


7 


7 


/ true 

h 


= RA o A 


{Predicate calculus} 

\ 


V 


€/ fy.wait A y.tr = s.tr A a ^ y.ref) 


\ 


V 


/ 


V 


(3 ref • RA2(ac' 7 ^ 0) 


tr t-A s.tr ^ (a), 
wait (->• false, > / s 
re/ (->■ re/ 




A 


7 


7 


£) ar ,(s.tr ~ (a) < z.tr) 

{Theorem IT.5.2.91 and Lemma IL.G. 1.101} 


/ true 

h 


= RA o A 


G/ fy.wait A y.tr = s.tr A a y.ref) 


V 


/ 


(3 ref • (3 y • s.tr < y.tr A y G ac') 


tr 1 —)■ s.tr ^ (a), 
wait t—)■ false, } / s 

ref 1 —y ref 


A 

\ © Z aA Sdr ^ (°> ^ Z ' tr ) 

{Substitution and value of record component tr} 
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= RA o A 


/ true 

h 

/ (ej y ac ,(y.wait A y.tr = s.tr A a y.ref) 

V 

/ (3 re/ • (3 y • s.tr ^ (a) < y.tr A y e ac ')) \ 


= RA o A 


= RA o A 


= RA o A 




\ 


V 


A 


/ 


/ 


/ 


V ©aA S - tr ^ (°) ^ Z ' tr ) 

{Predicate calculus and definition of (e/ ,} 

/ true \ 

h 

/ ( ej y ac ,(y.wait A y.tr = s.tr A a y.ref) \ 

V 

( ©L'( s - ir "" (®) ^ y- tr ) \ 


\ 


\ 


A 


\ (DL( s -* r ~ (°> < z - tr ) 7 






{Predicate calculus} 


/ true 

h 

/ (ef ,{y.wait A y.tr = s.tr A a y.ref) \ 
V 

v ©lA s - tr ^ (°) ^ ^- tr ) 


/ trite 

h 


/ 


{Lemma L.G.7.25 and predicate calculus} 

\ 


V ©lA(y- wait ^ y^ r = s -^ r ^ a ^ y- re f ) v ( s -^ r ^ (°) < y-tr)) ) 


□ 


G.8.9 External Choice 

Theorem T.5.4.30 Provided P is a reactive angelic design, 

p n RAD Stop RAr> = RA O A(-i P f f h 3 y • (Pf)[{y}/ac'] Aye ac') 

Proof. 

P Drad StopRAD {Assumption: P is RAD-healthy and definition of 57 o/U(.ad} 
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= RA o A(-< Pj h Pj) Drad RA o A (true h (e ) v ar ,(y.tr = s.tr A y.wait )) 


( _* Pj A true 


(Theorem IT.G.8.101 } 


= RA o A 




h 


(Pj A (e) V ac ,{y-tr- = s.tr A y.wait )) ^ 
<y.wait A y.tr = s.tr> 

(Pj V (D V ac ,(y.tr = s.tr A y.wait )) / 


/-A 

h 


= RA o A 


/ 


\ 


(Predicate calculus} 


/ (Pj A (&f ac ,(y.tr — s.tr A y wait)) \ 
<y.wait A y.tr = s.tr> 

\ (Pj V (D V acl (y-tr = s.tr A y.wait)) ) 


/ 


/-A 

h 


= RA o A 


(Lemma IL.G.7.311 } 

\ 


/ (e)^ , (y.wait A y.tr = s.tr A Pj A (e ) y ,(y.tr = s.tr A y.wait)) \ 


V 


@^ c/ (-. y.wait A (Pj V ©^(y.tr = s.tr A y.wait))) 


V 


/ 


V ©L( s - tr 7 ^ ?/- ir A (Pj V (D y ac ,(y.tr = s.tr A y.wait))) 

(Predicate calculus and Lemma IL.G. 7. 301} 


/-A 

h 


= RA o A 


\ 


/ (&f ac ,(y.wait A y.tr = s.tr A Pj A (e jf ac ,(y.tr = s.tr A y.wait )) \ 

V 

(Dl'h y.wait A Pj) 

V 

y.wait A (DJ c ,(y.tr = s.tr A y.wait)) 

V 

©1,0-^ ^ A p /) 

V 

V ©L'( s - tr ^ A ©lAy- tr = s - tr A y-wait)) 

(Variable renaming} 


7 
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/-A 

b 


= RA o A 


\ 


/ (£){, (y.wait A y.tr = s.tr A Pj A (e ~f ac ,(z.tr = s.tr A z.wait )) \ 


V 

(DL(^ y- wait A p /) 

V 

(D^ ,(-1 y.wait A (e y ,(z.tr = s.tr A z.wait )) 

V 

(DL( s -* r ^ A p }) 

V 

{zf nr ,(s.tr y.tr A (e) z ,(z.tr = s.tr A z.wait )) 


/ 


/ 


{Lemma IL.G.7.371 } 


t-A 

b 


= RA O A 


= RA o A 


/ (ej y ac ,(y.wait A y.tr = s.tr A Pj A (z.tr = s.tr A z.i«a*t)[y/z][{y} fl 

V 

(DL( -1 y- wait A p /) 

V 

©",(-1 y.wait A (z.tr = s.tr A z.wait)[y/z\[{y} fl ac'/ac']) 

V 

(DLO-tr ^ A p )) 

V 

V (DL( s -* r ^ y^ r A ( z -^ r = s -t r A £-wa£t)[y/.z][{y} 71 ac'/ac']) 

{Substitution} 

\ 


/-A 

b 


/ (E) y ac ,(y.wait A y.tr = s.tr A Pj A y.tr = s.tr A y.wait ) ^ 


V 


(Dl'h y-wait A Pj) 

V 

y.wait A y.tr = s.tr A y.wait ) 


V 


(DL( s -* r + v- tr ^ p j) 

v 

V (Dac'( s ^ r 7^ A y'P = S 'P A y-wait) 






{Predicate calculus} 
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/-A 

h 


= RA o A 


= RA o A 


= RA o A 


= RA o A 


\ 


/ ( e) y ac ,(y.wait A y.tr = s.tr A Pj) \ 


V 


(Dl'(^ A p j) 

V 

V ©L'( s - tr ^ A p }) 


{Lemma IL.G.7.3T1 } 


/ - A 

h 


V ©oc'(^/ ^ y- wa ^ A y.tr — s.tr \> Pj) J 


/-A \ 

h 


{Property of conditional} 


©GA) / 


/-A 

h 


{Assumption: P is RAD-healthy and Theorem T.5.2.21} 

{Lemma IL.G.7.281 } 

\ 


\ 3 y • (P/)[M/ac'] A y e ad j 


a 


Theorem T.5.4.31 Provided P is a reactive angelic design and A2 -healthy, 


P Drad StopnAD — P 


Proof. 


p Qrad StopnAD {Theorem IT. 5.4.301} 

= RA o A(-i P f f h 3 y • (Pj) [{y}/ad) Aye ad) 

{Assumption: P is A2-healthy} 
= RA o A(-i P f f \~3y {A2{P) t f )[{y} / ad] Aye ac') {Lemma OTL22j f 

= RA o A(-i Pj h 3 y • (A2 (Pj))[{y} / ad] Aye ad) {Theorem IT. 4.2.1 lty 



f 

f 

( Pjfb/ac'} 

\ 

\ 

RA o A 

CL 

r 

LU 

• 

V 


[{y}/ac'] Aye 


V 

V 

y (3 z • Pj[{z}/ad] A z e ad) 

) 

/ 


{Substitution} 
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f 

( 

^ P}[0/ac'] 

\ 

\ \ 

RA o A 

- pf f 1 - 

3 y 

V 


A y e ac' 


V 

V 

^ (3z.P / *[{*}/ac'] 

A z e {y}) / 

/ / 


( 


= RA o A 


P/h 


{Predicate calculus} 

( (3 y • Pj[0/ ac'} Aye ac') \ ^ 

V 

^ (3 y • 3 z • Pj[{z}/ac'} A z e {y} Aye ac') ) ) 

{Predicate calculus} 


/ 


= RA o A 


/ (P}[0/ ac'} A 3 y • y e ac') 


P/h 




V 


\ (3 y • 3 z • P}[{z}/ac'} A z e {y} Aye ac') J J 

{Property of sets and one-point rule} 


/ 


= RA o A 


/ (Pf[0/ac'] A ac' ^ 0) 


P/h 




V 


\ (3 y • P}[{y}/ac'} Aye ac') J J 

{Definition of A1 and predicate calculus} 


= RA o A(-< P f f h (P}[0/ac'] V (3 y • P}[{?/}/ac'] Aye ac'))) 


RA o A(-< P f f h A2 (Pj)) 
RA o A(-. P/ P A2 (P)j) 
RA o A(-< Pj P Pj) 

P 


{Theorem IT. 4.2. Ill } 
{Lemma IL.C. 1.221 } 
{Assumption: P is A2-healthy} 
{Assumption: P is RAD-healthy} 


□ 


Theorem T.G.8.9 

RA o A(-i pf h Pj) n RAD RA o A(-< Qj h 0) 


( p( A —i qI 


RA o A 




h 


/ (PBMH(P|) A PBMH(Qj)) \ 
<y.wait A y.tr = s.tr> 

\ (PBMH (Pj) V PBMH(Qj)) / 
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Proof. 


RA o A(-< Pf b Pj) Drad RA o A(—i Qf b Qj) {Definition of Drad} 


f 1 1 f j U RAD u ' V/ 1 Hfj 

/ / -. (RA o A(-i Pj b Pj))j \ 


= RA o A 


A 


\ - (RA o A(-< Qj b Qj)) f f ) 


\ 


b 


/ ((RA o A(-i P f f b P}))} A (RA o A(-i Qj b Qj))}) \ 


f 1 


<s.wait A y.tr = s.trt> 

((RA o A(-. Pj h Pf))} V (RA oA(^h Qf))}) ) 

{Lemmas IL.G.4.81 and IL.G.4.91} 


/ 


/ 


= RA o A 


/ - (RA2 o RA1 o PBMH(-i ok V Pi)) \ 


A 


\ 


\ (RA2 o RA1 o PBMH(-i ok V ($)) ) 


b 


/ f RA2 o RAl o PBMH(-> ok V P f f V Pj) \ \ 

A 

\ RA2 o RAl o PBMH(-i ok V Q f f V Qj ) / 
<\s.wait A y.tr = s.tr\> 

( RA2 o RAl o PBMH(-i ok V P f f V Pj) \ 


V 


V 


/ 


/ 


V RA2 o RAl o PBMH(-> ok V Qj V Qj) 

{Predicate calculus} 


/ 


= RA o A 


/ (RA2 o RAl o PBMH(-i oA: V P f A) \ 


V 


\ 


b 


V (RA2 O RAl O PBMH(-> ok V Q^)) ) 


l l RA2 o RAl o PBMH(-> ok V Pj V Pj) \ 


A 


\ 


RA2 o RAl o PBMH(n ok V Qj V Qj) 
<s.wait A y.tr = s.tr> 

( RA2 o RAl o PBMH(n ok V Pj V P{) \ 


V 


V 


/ 


/ 


\ RA2 o RAl o PBMH(-i ok V Qj V Qj) 

{Theorems |T.E.2.2[ |T.5.2.3| and |T.5.2.7|| 
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= RA o A 


= RA o A 


= RA o A 


/ (-. ok V Pi) \ 


RA2 o RAl o PBMH 


V 


\ 


\ (-> okv Qj ) / 


h 


( 


( RA2 o RAl o PBMH(-> ok V P f f V Pj) \ 


A 


\ 


\ RA2 o RAl o PBMH(-i okV Qjv Qj) ) 
<\s.wait A y.tr = s.tr> 

/ (-1 ofc V Pj V Pj) \ 

RA2 o RAl o PBMH 


V 


V 






\ (-> ok V Qj V Qj) J 

{Theorems IT. 5.2. 21 and IT. 5.2. 61} 


/ (-. ofc V Pj) \ 


RA2 o RAl o PBMH 


V 


\ 


\ h ok V Q f f ) / 


h 


/ 


/ PBMH(-i okV Pjv Pj) \ 


RA2o RAl 


A 


\ PBMH(-< ok V Qj V Qj) / 
<s.wait A y.tr = s.tr> 

/ (-. ofc V Pj V Pj) \ 

RA2 o RAl o PBMH 


V 


V 


/ 


/ 


\ (-- Ofc V Qj V Qj) / 

{Theorem IT.E.3. 11 and Lemma IL.G. 7.361} 


/ (-. ok V Pj) \ 


RA2 o RAl o PBMH 


V 


\ 


\ (-> ok V Qj) ) 


h 


RA2 


/ / PBMH(-i ok\/ Pj\J Pj) \ \\ 
A 

\ PBMH(n ok\J Qj\/ Qj) 

<\s.wait A y.tr = s.tr> 

( (-i ok V Pj V Pj) \ 

PBMH V 

V V (-. ofc V Qj V Qj) / y 7 


/ 


{Theorem IT.5.2.51 and Lemma IL.G.4.121 } 














































720 


APPENDIX G. REACTIVE ANGELIC DESIGNS (RAD) 


/ 


= RA o A 


( (-. ok V Pi) \ 


RA1 o PBMH 


V 


\ 


\ h ok v Q f f ) J 


h 


/ 


RA2 


/ / PBMH(n ofc VPjv P}) \ \\ 
A 

\ PBMH(-< okV Q f f V Qj) 

<s.wait A y.tr = s.tr> 

/ (-. ofc V P f f V P}) \ 

PBMH V 


V 


V (- Ok V Qf V Qj) / / / 

{Lemma IL.G.4.151 and Theorem IT. E.2. 11 } 


/ 


/ 


= RA o A 


/ (-. ok V Pf) \ 


PBMH 


V 


\ 


h 


/ 


RA2 


\ °kV Of) ) 


( / PBMH(n okV Pj V Pj) \ 
A 

\ PBMH(n ok V Q f f \J Qj) j 
<s.wait A y.tr = s.tr> 

/ (-■ V P/ V Pj) \ 

PBMH V 


V 


w 


V 


V (-1 ok V Qj V Qj) 


J J 


/ 


{Lemmas |L.E.4.9 , |L.G.4.13 and L.G.7.43 and Theorem T.E.3.1 [ 


/ 


= RA o A 


/ (-. ok v p£) \ 


PBMH 


V 


\ 


\ 0* V Qf) J 


h 


/ 


/ / PBMH(-1 ofc V P f f V Pj) \ \ \ 
A 

V PBMH(-i ok\J Qjw Qj) 

<s.wait A y.tr = s.tr> 

/ (-. ok V P f f V Pj) \ 

PBMH V 

V \ (-■ 0^ v Q s f y Qj) y yy 


{Theorem IT. E.2. 21} 
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/ 


= RA o A 


h 


/ 


V 


/ PBMH(-i ok) V PBMH(Pj) \ 

V 

\ PBMH(-i ok) V PBMH(^) 

( ( (PBMH(-i ok) V PBMH (pf V Pj)) \ \ \ 


\ 


V 


V 


V 


/ / -i ok 

V 


= RA o A 


A 

(PBMH(n ok) V PBMH (Qj V Qj)) / 

<s.wait A y.tr = s.tr> 

PBMH(-i ok) V PBMH(Pj V Pj) \ 

V 

PBMH(n ofc) V PBMH( Qj V Qj) / ^ ^ ^ 

{Lemma L.E.4.5 and predicate calculus} 

\ \ 


V 


h 


PBMH(Pj) V PBMH(Qf) / 


/ 


V 


V 


/ / (-> ok) \ \ \ 

V 

\ (PBMH(Pj V Pj) A PBMH( Qj V Qj)) ) 
<\s.wait A y.tr = s.tr > 

( (-i ok) ^ 

V 

\ \ PBMH(Pj V Pj) V PBMH( Qj V Qj) / 


(ok A ^ PBMH(Pj) A PBMH( Qj) 
h 


= RA o A 


// / 

{Predicate calculus} 

\ 


/ 


= RA o A 


/ ( PBMH(Pj V Pj) A PBMH( Qj V Qj) ) \ ^ 
ok V (G)^ c , <s.wazt A y.tr = s.tr> 

\ \ \ ( PBMH(Pj V Pj) V PBMH( Qj V Qj) ) / / y 

{Definition of design and predicate calculus} 

/ -i PBMH(Pj) A -n PBMH( Qj) \ 

h 

/ / ( PBMH(Pj V Pj) A PBMH( Qj V Qj) ) \ ^ 

<\s.wait A y.tr = s.tr> 

\ \ \ ( PBMH(Pj V Pj) V PBMH( Qj V Qj) ) / / / 

{Theorem IT. E.2. 21} 
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= RA o A 


= RA o A 


= RA o A 


/ 


PBMH (P f f ) 


A 


PBMH (Q f f ) 


h 


/ 


V V 


/ / (PBMH(Pf) V PBMH(Pj)) \ 

A 

(PBMH(Qf) V PBMH(Qj)) / 
<\s.wait A y.tr = s.tr> 

/ PBMH (Pj) V PBMH(P|) \ 

V 

\ PBMH (Qj) V PBMH (Qj) 


( 


PBMH (P{) 


A PBMH (Qf) 


h 


( 


( 


( (PBMH(Pf) A PBMH (Qj)) \ 


V 


V 

(PBMH (Pf) A PBMH( Qj)) 

V 

(PBMH(P)) A PBMH(Qf)) 

V 

\ (PBMH(Pj) A PBMH( Qj)) J 
<\s.wait A y.tr = s.tr\> 

/ PBMH(Pj) V PBMH(P)) \ 

V 

\ PBMH(Qf) V PBMH(gj) 


\ 


\ 


\ 


JJ 

{Predicate calculus} 


\ 




/ 


/ 


/ 


(Definition of design, predicate calculus and Lemma L.G.7.40} 


/ 


PBMH(Pj) 


A 


PBMH(^) 


\ 


h 


/ (PBMH (Pj) A PBMH(QJ)) 
<s.wait A y.tr = s.tr> 

( PBMH (Pj) V PBMH(Fj) \ 


\ 


V 


V 


\ PBMH(Qr) V PBMH( Qj) / 


/ 


/ 


(Definition of design, predicate calculus and Lemma L.G.7.41} 
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/ PBMH(Pr) A - PBMH(Qf) 


= RA o A 


\ 


h 


(PBMH(Pj) A PBMH(Qj)) \ 

<s.wait A y.tr = s.tr\> 

(PBMH(Pj) V PBMH(Qj)) ) j 

{Predicate calculus and Theorem IT. E.2. 21} 


( PBMH(Pj V Qj) 


= RA o A 


\ 


h 


/ (PBMH(ij) A PBMH(Q{)) \ 

<s.wait A y.tr = s.tr> 

(PBMH(P‘) V PBMH(Q‘)) ) ) 

{Theorem IT. G. 1.61 and Le mm a IL.E.6.21} 


- (p f f v <$) 


= RA o A 


\ 


h 


= RA o A 


(PBMH(Pj) A PBMH( Qj)) \ 
<s.wait A y.tr = s.tr\> 
(PBMH(Pj) V PBMH( Qj)) ) 

( —> 1 Pj A — i Qj 
h 

(PBMH (Pj) A PBMH( Qj)) \ 
<s.wait A y.tr = s.tr> 
(PBMH(Pj) V PBMH( Qj)) 


{Predicate calculus} 


V 


□ 


Theorem T.G.8.10 Provided P and Q are reactive angelic designs, 


P °rad Q 


( -> Pi A -> Qf 


RA o A 




h 


( P‘, A Qj) 

<y.wait A y.tr = s.trt> 

(Pj V Qj) 


Proof. 


P n RAD Q 


{Assumption: P and Q are RAD-healthy} 
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= RA o A(-< Pf h P}) n RAD RA o A(-i Q f f h Qj) 

( -* Pf A -i Qj 

h 

= RA O A / (PBMH(Pj) A PBMH(<5j)) \ 

©L' <s.wait A y.tr = s.tr\> 

\ \ (PBMH(Pj) V PBMH(g))) / 

/ -i Pf A-i Qf 

h 

= RA o A f (PBMH(P)} A PBMH(Q)‘) \ 

<\s.wait A y.tr = s.tr> 


{Theorem IT. G.8. 91} 


{Lemma IL.E.5.11} 




V 


\ (PBMH(F)j V PBMH(g)}) 




( -i P* A —i Qt 


= RA o A 


{Assumption and Theorem T.5.2.21 [ 

\ 


h 


(P‘, A Qj) \ 

<s.wait A y.tr = s.tr> 

(Pj V Qj) J 


a 


Relationship with CSP 


Theorem T.5.4.32 Provided that P and Q are \CSP\ processes. 
ac2p(p2ac(P) Drad p2ac{Q )) = P Dr Q 


Proof. 


ac2p(p2ac(P) Drad p2ac(Q )) 

( -■ p2ac(P)j A -i p2ac(P) f f 


= ac2p o RA o A 


\ 


h 


/ (p2ac(P)j A p2ac(QY f ) ^ 
) v ac , <y.wait A y.tr = s.tr> 

\ (p2ac(P)j V p2ac(Q)j ) / 


/ 


{Definition of Drad} 


{Lemma IL.C.5.81} 
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/ -i p2ac(Pl) A -i p2ac(Pf) 


= ac2p o RA o A 


\ 


h 


V 


^ ( p2ac(Pj ) A p2ac(Qj )) ^ 
<y.wait A y.tr = s.tr\> 

\ ( p2ac(Pj ) V p2ac(Qj )) / 


{Theorem IT. 5.3. 21} 


/ -■ ac2p(-i (-• p2ac(Pf) A -< p2ac{Pl))) \ 


R 


h 


/ 


ac2p 


V 


R 


R 


(. p2ac(Pf ) A p2ac(Qj )) \ ^ 

<y.wait A y.tr = s.tr> 

(. p2ac{Pj ) V p2ac(Qj )) / / 

/ * ac2p(p2ac(Pj) V p2ac(Pj)) 

h 

/ / (p2ac(Pj) A p2ac(Qj)) \ ^ 

<y.wait A y.tr = s.tr> 

\ ( p2ac{Pj) V p2ac(Q})) ) ) 

( -i ac2p(p2ac(Pj) V p2ac(Pj)) 

h 

/ © V ac ,(y-wait A y.tr = s.tr A p2ac(Pj ) A p2ac(Qj )) \ 
V 


{Predicate calculus} 


ac2p 


V 


{Lemma IL.G.7.311 } 


7 


ac2p 


© y ac 'h y-wait A (p2ac(Pj) V p2ac(Qj ))) 


V 


\ ©lc'(y- tr ^ sJr A (P 2 ac(P}) V p2ac(Qj ))) 


7 


7 


/ -■ (ac2p o p2ac(Pl) V ac2j> o p2ac(Pj)) 


R 


{Theorem IT. C.5. 11} 
\ 


h 


/ ac2p((ef ac ,(y.wait A y.tr = s.tr A p2ac(Pj) A p2ac(Qj ))) \ 


V 


ac2p((G)^ c ,(-i y.wait A (p2ac(Pj) V p2ac(Qj )))) 

V 

V ac2p((e) y ac ,(y-tr 7 ^ s.tr A (p2ac(P t f ) V p2ac(Qj )))) 


7 


7 


{Theorem IT. 4.6. 11} 
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/ -i ( ac2p o p2ac(Pf) V ac2p o p2ac(P \)) 


R 




h 


/ ac2p((ej y ac , (y.wait A y.tr = s.tr A p2ac(Pj ) A p2ac(Qj ))) \ 


V 


ac2p((e) y ac ,(y.wait A p2ac(Pj V Q}))) 

V 

V ac 2 p((ef ac ,(y.tr =/=■ s.tr A p2ac(Pj V Qj))) 


( -■ (ac 2 p o p2ac(Pj) V ac2p o p2ac(Pj )) 

h 


/ 


7 


(Theorem IT. G.7. 161 } 


R 


^ / (y.wait A y.tr = s.tr)[«ndas/j(Ptatejj(owta_ 0 fc/))/y][Ptatejj(ma!_ 0 fc)/s] 
A Pj A Qj 


V 


ac2p((e) y ac ,( y.wait A p2ac(Pj V Qj))) 


V 


\ ac2p((ef ac ,(y.tr 7 ^ s.tr A p2ac(Pj V Qj))) 


( -> (ac2p o p2ac(Pj) V ac 2 p o p2ac(Pj)) 

h 


{ Lemma IL.G.7.421 } 


R 


^ 7 (y.wait A y.tr = s.tr)[undash(Statejj(outa_ 0 k'))/y][Statejj(ina_ 0 k)/s\ 
A Pj A Qj 


V 


V 


(-i y.wait ) [undash(Statejj(outa.- 0 k>))/y\[State jj (ina_ 0 k )/ s] 
A (Pj V Qj) 


(y.tr 7 ^ s.tr)[nrwtas/i(5'tatejj(o'uta_ 0 A ; /))/y][S'tatejj(ma_ ofc )/s] 

V V A (Pf V Qj) 

(Definition of State jj, property of undash and substitution} 

7 -i (ac 2 p o p2ac(Pj) V ac2p o p2ac(Pj)) \ 

h 

7 (wait' A tr' = tr A Pj A Qj) \ 


R 


V 


V 


wait' A (Pj V Qj)) 


\ (tr' ± tr A (Pj V Qj)) ) 


(Theorem IT. 5.3. 51} 
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/ (P/ V P f f ) 


R 


R 




b 


f ( wait ' A tr' = tr A Pj A Qj ) \ 


V 


V 


waif A (Pj V Qj)) 


\ ( tr ' ^ tr A (Pj V Qj)) 


/-P/A^Pj 

b 


/ 


/ 


{Predicate calculus and property of conditional} 

\ 


\ (Pj A Qj) <3 wait' A tr' = tr > (Pj V Qj) ) 

{Assumption: P and Q are ICSPI processes and definition of Dr} 

PQrQ 


e£ 


Theorem T.5.4.33 Provided P and Q are reactive angelic designs, 


p2ac(ac2p(P) n R ac2p(Q )) □ P Drad Q 


Proof. 

p2ac(ac2p(P ) Or ac2p(Q )) 
= p2ac o R 


{Definition of Dr} 


= p2ac o R 


(-■ ac2p(P)j 

A -■ ac2p(P)j) 

b 


( ac2p(P)j A 

ac2p(Q)j) <3 tr' 

(-i ac2p(Pj ) 

A -■ ac2p(Pj )) 

b 


(. ac2p(Pj ) A 

ac2p(Qj )) <3 tr' 


\ 


{Lemma IL.C.5.311 } 

\ 


{Theorem IT. 5.3. 41} 


/ -■ p2ac(ac2p(P() V ac2p(Ql)) \ 


= RA o A 


b 


p2ac 


( ( ac2p(Pj ) A ac2p(Qj )) ^ 

<3tr' = tr A wait'> 

V (ac2p(Pj) V ac2p(Qj)) ) ) 

{Definition of conditional and predicate calculus} 
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/ -n p2ac(ac2p(Pj) V ac2p(Ql )) 


= RA o A 


\ 


h 


p2ac 


( (tr' = tr A wait ' A ac2p(Pj ) A ac2p(Qj )) \ 


V 


( tr ' ^ tr A ( ac2p(Pj) V ac2p(Qj))) 
V 

\ (-■ wait' A ( ac2p(Pj ) V ac2p(Qj ))) 


/ 


/ 


{Distributivity of ac2p (Theorem T.C.5.1)} 


/ p2ac o ac2p(Pj V Qj) 


= RA o A 


\ 


h 


p2ac 


( {tr' = tr A wait' A ac2p(Pj) A ac2p(Qj )) \ 


V 


/ 


/ 


= RA o A 


i2p(Pf V Qj) A PBMH (Pj V Qj)) \ 


p2ac 


= RA o A 


(tr' ^ tr A ac2p(Pj V Qj)) 

V 

\ (-■ waff' A ac2p(Pj V Qj)) 

(Theorem imm 

-i (p2ac o ac r z 

h 

/ (tr' = tr A wait! Pj ) A ac2p(Qj )) \ 

V 

(tr' ^ tr A ac2p(Pj V Qj)) 

V 

\ (-i waff' A ac2p(Pj V Qj)) 

(Predicate calculus} 

p2ac o ac2p(Pj V Qj)) V -i PBMH(Pj V Qj) \ 

h 

( (tr' = tr A wait’ Pj) A ac2p(Qj)) ^ 

V 

(tr' ^ tr A ac2p(Pj V Qj)) 

V 

\ (-■ waff' A ac2p(Pj V Qj)) 

(Refinement of designs} 






p2ac 


/ 


/ 
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/ PBMH(P/ V Q f f ) 


□ RA o A 


= RA o A 


□ RA o A 


□ RA o A 


\ 


b 


p2ac 


( ( tr' = tr A wait ' A ac2p(Pf ) A ac2p(Q t f )) \ 


V 


(tr' 7 ^ tr A ac2p(Pj V Q/)) 
V 

\ (-> wait' A ac2p(Pj V Qj)) 


/ 


/ 


/ PBMH(P/ V Q f f ) 


{Distributivity of p2ac (Theorem T.4.6.1)} 

\ 


b 


/ p2ac(tr' = tr A wait' A ac2p(Pj) A ac2p(Qj )) \ 


V 


p2ac{tr' ^ tr A ac2p(Pj V <3j)) 
V 

\ p2ac(-> wait' A ac2p(Pj V <5j)) 


/ 


/ 


{Theorem T.4.6.2 and weaken postcondition} 


/ PBMH(P/ V Q f f ) 


\ 


b 


/ ( p2ac(tr ' = tr A wait') A p2ac o ac2p(Pj ) A p2ac o ac2p(Qj )) \ 


V 


( p2ac(tr ' 7 ^ tr) A p2ac o ac2p(Pj V <5j)) 
V 

\ (p2ac(-i wait') A p2gc o ac2p(Pj V (Jj)) 


/ 


/ 


{Theorem T.G.7.13 and weaken postcondition} 


/ PBMH(Pj V Q f f ) 


\ 


b 


/ (p2ac(tr' = tr A wait') A PBMH(P)) A PBMH(Q{)) \ 

V 

( p2ac(tr' 7 ^ tr) A PBMH(Pj V <5j)) 

V 

^ (p2ac(-i wait') A PBMH(Tj V <5/)) / 


/ 


{Definition of p2ac} 
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= RA o A 


= RA o A 


= RA o A 


f PBMH(P/ V Q f f ) 




h 


/ 


/ (3 z • z'.tr' = s.tr A z'.wait' A z E ac') \ 


A 


\ 


\ PBMH(Pj) A PBMH(Qj) 

V 

((3 2 • z'.tr' ^ s.tr A z E ac') A PBMH(.P} V Qj)) 

V 

\ ((3 z • A z E ad) A PBMH(P/ V Qj)) ) 


) 


( PBMH(Pj V Q f f ) 


{Property of dashed state variable} 

\ 


h 


( ( (3 z • z.tr — s.tr A z.wait A z E ad )\ 
A 


\ PBMH(Pf) A PBMH(<5 


\ 


f> 


1 


V 


((3 z • z.tr d s.tr A z E ad) A PBMH(P} V Qj)) 
V 


) 


\ ((3 z • -i z.wait A z E ad) A PBMH(Pj V Qj)) ) 

{Predicate calculus and distributivity of PBMH} 


( PBMH(Pj) A - PBMH( Q-j) 


f> 


\ 


P 


3 z • z E ad 
A 

( ((z.tr = s.tr A z.wait) A PBMH(7j) A PBMH(Q})) \ 
V 


((z.tr ± s.tr) A PBMH (Pj V Qj)) 
V 

V (( -i z.wait) A PBMH(PJ V Qj)) 


) 


) 


{Predicate calculus} 
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= RA o A 


= RA o A 


= RA o A 


= RA o A 


= RA o A 


= RA o A 


( PBMH(Pjf) A - PBMH(Qj) 
b 

3y • y e ac' 

A 

/ ((y.tr = s.tr A y.wait ) A PBMH(Pj) A PBMH(Qj)) ^ 




V 


7 


7 


\ (-■ ( y.tr = s.tr A y.wait ) A PBMH(Pj V <3j)) 

{Definition of conditional} 


/ PBMH(Pf) A - PBMH( gf 


\ 


b 


3 y • y G ac' A 


/ (PBMH(Pj) A PBMH(QJ)) \ 

<y.tr = s.tr A y.wait> 

\ (PBMH(P/ V Qj)) 

{Distributivity of PBMH} 


7 


7 


/ PBMH(P[) A - PBMH (Qj) 


\ 


b 


3y • y E ac' A 


V 


/ (PBMH(Pj) A PBMH(Qj)) \ 
<y.tr = s.tr A y.wait> 

\ (PBMH(Pj) V PBMH(QJ)) 


/ PBMH(P){ A - PBMH(<© 


{Lemma IL.E.5.11} 


V 


b 

(PBMH(P)j A PBMH(Q)j) \ 
3 y • y <E ac' A \ <\y.tr = s.tr A y.wait> 

(PBMH(P)} V PBMH(Q)j) y 


7 


{Assumption: P and Q are RAP-healthy and Theorem T.5.2.21} 


( —> Pi A —> Ql 


\ 


b 


3 y • y G ac' A 


V 


^ — i Pf A —i qI 


(Pf A <?;) \ 

<y.tr = s.tr A y.wait> 

(p‘, v gj) / 


{Definition of (e)^ c ,} 

\ 


b 

V ©L' (©/ A Qf ) < ?/ Jr = s - ir A y-wait > {Pj V Qj)) 7 

{Definition of Drad} 
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— P °RAD Q 


□ 


Theorem T.5.4.34 Provided P and Q are RAD -healthy and A2 -healthy, 
p2ac(ac2p(P) Dr ac2p(Q )) = P Qrad Q 


Proof. 


p2ac(ac2p(P) Dr ac2p(Q )) 

^ -i ac2p(P)j A -i ac2p(Q)j 


{Definition of Dr) 


= p2ac o R 


\ 


h 


= p2ac o R 


\ (ac2p(P)j A ac2p(Q)j) < tr' = tr A wait' \> ( ac2p(P)j V ac2p(Q)j) ) 

{Lemma IL.C.5.311 } 

( -i ac2p(Pj) A -i ac2p(Qj) ^ 

h 

^ (ac2p(Pj) A ac2p(Qj)) <\ tr' = tr A wait' > ( ac2p(Pj ) V ac2p(Qj )) / 


{Theorem T.5.3.4 and predicate calculus} 
( -i p2ac(ac2p(Pj) V ac2p(Qj)) \ 


= RA o A 


h 


p2ac 


( ( ac2p(Pj ) A ac2p(Qj)) ^ 

<fir' = tr A wait'\> 

\ (ac2p(Pj) V ac2p(Qj)) ) 

{Definition of conditional and predicate calculus} 


7 


/ -■ p2ac(ac2p(Pl) V ac2p(Ql)) 


= RA o A 


\ 


h 


p2ac 


( (tr' = tr A wait' A ac2p(Pj) A ac2p(Qj )) \ 


V 


(tr' ^ tr A (ac2p(Pj) V ac2p(Qj ))) 
V 

\ (-■ u>azf' A (ac2p(Pj) V ac2p(Qj ))) 


7 


7 


{Theorem IT. 4.6. 11} 



















G.8. OPERATORS 


733 


/ -■ p2ac(ac2p(P() V ac2p(Ql)) 


= RA o A 




h 


/ p2ac(tr' = tr A waif A ac2p(Pj ) A ac2p(Qj )) \ 


V 


p2ac(tr' ^ tr A ( ac2p(Pj ) V ac2p(Qj ))) 
V 

y p2ac(-< wait' A ( ac2p(Pj ) V ac2p(Qj ))) 


/ -■ p2ac o ac2p(Pj V Qj) 


/ 


/ 


= RA o A 


{Theorem IT. C.5. 11} 

\ 


h 


/ p2ac(tr' = tr A wazT A ac2p(Pj) A ac2p(Qj )) \ 


V 


p2ac(tr' ^ tr A ac2p(Pj V <3j)) 
V 

\ p2ac(-> wait' A ac2p(Pj V Q/)) 


^ -i j>2ac o ac2p(Pj V Qj) 


/ 


/ 


= RA o A 


{Lemma IL.C.5.141 } 

\ 


h 

/ 


3z 


V 


3z 


V 


3z 


/ ( tr' = tr A wait')[s,z/ina_ ok , outa_ ok '] 

A 

(p2ac(ac2p(Pj) A ac2p(Qj)))[{undash(z)} / ac'] 
A 

\ undash(z) G ac 7 






/ (tr' ^ tr)[ s, z/ ina_ ok , outa_ ok >] 

A 

(p2ac o ac2p(Pj V (^))[{rmdas/i(z)}/ac 7 ] 
A 

\ undash(z) G ac 7 

(-■ wait 7 )[s, z/ina- 0 k, outa- ok t\ 

A 

(p2ac o ac2p(Pj V ^))[{rtndas/i(z)}/ac 7 ] 
A 

\ undash(z) G ac 7 


\ 


\ 


/ 


7 


/ 


{Substitution} 
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= RA o A 


= RA o A 


{P and Q are 


/ 


p2ac o ac2p{Pj V Qj) 


\ 


h 

/ 


3z 


V 


3z 


V 


^ ( z.tr' = s.tr A z.wait') 

A 

{p2ac{ac2p{Pj) A ac2p{Qj)))[{undash{z)} / ac'] 
y A undash(z) G ac' 


\ 




^ ( z.tr' 7 ^ s.tr) 

A 

(p2ac o ac2p{Pj V ${))[{ rmdas/i( 2 :)}/ac'] 
y A undash(z) G ac' 


3 2 




^ (-i z.wait') 

A 

(p2ac o ac2p{Pj V 9/))[{^ n ^ as M z )}/ ac/ ] 
y y y A undash(z) G ac' J J J 

{Lemmas IL.C.5.101 and IL.G.7.81} 

^ p2ac o ac2p{Pj V Qj) \ 

h 

/ ^ {z.tr 1 = s.tr A z.wait') \ \ 

A 

(j>2ac o ac2p(Pj))[{rtndas/i(z)}/ac / ] 

A 

(p2ac o ac2p(Q{))[{tindasMz)}/ac'] 
y A undash{z ) G ac' 


V 


3z 


V 


3z 


V 


3z 


V 


/ 

^ {z.tr' 7 ^ s.tr) \ 

A 

(p2ac o ac2p{Pj V ${))[{ rmdas/i( 2 :)}/ac'] 
y A undash{z ) G ac' 

^ (-■ z.wait ') \ 

A 

(p2ac o ac2p{Pj V Qj))[{tmdas/i(, 2 :)}/ac'] 
y A undash(z) G ac' y 


/ 


/ 


^2-healthy and Theorem T.4.2.14 and Lemmas L.C.1.22 and L.G.7.12 f 
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/ 


= RA o A 


p2ac o ac2p(Pj V Qj) 


\ 


h 

/ 


3z 


V 


3z 


V 


^ ( z.tr' = s.tr A z.wait ') ^ 

A 

(Pj)[{rmdas/j(z)}/ac'] 

A 

( Qj) [{ undash(z)} / ac'] 
y A undash(z) G ac' 

^ {z.tr' 7 ^ s.tr) 

A 

(Pj V Q/)[{™^ as M z )}/ ac/ ] 
y A undash(z) G ac' 


\ 


3z 


\ 


^ (-1 z.wait') 

A 

(Pj V Qj)[{undash(z)} / ac'} 

^ y ^ A undash(z) E ac' ) ) ) 

{ P and Q are A2-healthy and Theorem |T.4.2.14 and Lemmas L.C.1.22 and L.G.7.11 } 

( - ((P/ A ac’ ^ 0) V (Qj A ac' ^ 0)) \ 

b 

( ( ( z.tr' = s.tr A z.wait') \ \ 


= RA o A 


3z 


V 


3z 


V 


3z 


A 


(Pj[{undash(z)} / ac'] A Qj[{undash(z)} / ac']) 
y A undash(z) G ac' 


^ (z.tr' 7 ^ s.tr) 

A 

(Pj V Qj)[{undash(z)}/ac'} 
y A undash(z) G ac' 

^ (-■ z.wait') 

A 

(Pj V Q/)[{ wn ^ as ^( 2: )}/ ac/ ] 
y A undash(z) G ac' 


\ 


\ 


/ 


/ 


/ 


{Introduce fresh variable ?/} 
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= RA o A 


= RA o A 


( {{P f f A ac' ± 0) V (Qf A ac' ± 0)) 


\ 


h 

/ 


3 z,y 


V 


3 ^, 2 / 


V 


( ( z.tr' = s.tr A z.wait') 

A 

(Pj[{'un<ias/i(z)}/ac / ] A <5j[{widas/i(,z)}/ac']) 
y A y — undash(z) A y G ac' 

( {z.tr' ^ s.tr ) \ 

A 

{Pj V Q/)[{' un ^ as ^(^)}/ ac/ ] 
y A y = undash{z) A y E ac' J 

\ 


\ 


\ 


3 


v 


/ 


/ 


^ (-■ z.wait') 

A 

{Pj V Q})[{'andas/j(z)}/ac / 
y A y = undash{z ) A y £ ac' J 

{Property of undash and das/i} 

/ - ((P/ A ac’ ± 0) V {Q f f A ac' ± 0)) \ 

h 

• ( {z.tr' = s.tr A z.wait') \ \ 

A 

{Pj[{undash{z)} / ac'} A Qj[{undash{z)} / ac')) 
y A dash{y) = z A y E ac’ 


3 z,y 


J 


V 


3 z,y 


V 


3 z,y 


( ( z.tr 1 ^ s.tr ) \ 

A 

{Pj V <5j)[{'Mndas/i(z)}/ac / ] 
y A dash{y) = z A y E ac' J 

( (-■ z.wait') \ 

A 

{Pj V Qj)[{undash{z)}/ac'] 
y A dash{y) = z A y E ac' J 


) 


) 


{One-point rule} 
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( ((P f f A ac' ± 0) V (<# A ac' ^ 0)) 


= RA o A 


\ 


b 

/ 


3 y 


V 


3?/ 


V 


^ (dash(y).tr' = s.tr A dash(y).wait') 

A 

(Pj[{'unc?as/i((ias/i(y))}/ac / ] A <5/[{™^ as M^ as M^))}/ ac/ ]) 
^ A y £ ac' 


\ 


\ 


( (dash(y).tr' ^ s.tr ) 

A 

(Pj V Qj)[{^ n ^ as M^ as M^))}/ ac/ ] 
y A y E ac' 


3 1/ 




= RA o A 


^ (-i dash(y).wait') 

A 

(Pj V (Jj)[{undas/j((ias/i(y))}/ac'] 
y A y £ ac' 

{Property fo das/i and undash} 

( - ((P/ A ac' ^ 0) V (Qf A ac' ^ 0)) 
b 

^ (3 2 / • ( y.tr = s.tr A y.wait ) A (Pj[{?/}/ ac'] A Q/[{?/}/ ac/ ]) A y e ac') ^ 

V 

(3 ?/ • y.tr 7 ^ s.tr A ( Pj V <?/)[{ 2 /}/ac'] Aye ac') 

V 

V (3y • -1 y.wait A (Pj V <?))[{2/1/ oc '] A y e ac') / 

{Property of substitution} 


\ 


/ - ((Pf A ac' ^ 0) V (<# A ac' ^ 0)) 


= RA o A 


\ 


b 


/ (3y • y.tr = s.tr A y.wait A (Pj A <?/)[{y}/ac'] Aye ac') \ 


V 


V 


(3 y • y.tr ^ s.tr A (Pj V <?j)[{y}/ac'] Aye ac') 
V 

V (3 y • —1 y.wait A (Pj V Qj)[{y}/ac'] Aye ac') 


/ 


/ 


{Assumption: P and Q are RAD-hcalthy and so PBMH-healthy (Theorem T.5.2.21)} 
{Lemmas IL.E.4.51 and IL.G. 7.281 and Theorems IT. E.3. II and IT. E.3. 21} 
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( ((P f f A ad ± 0) V ( Q f f A ac' ± 0)) 


= RA o A 




b 


/ (ef ac ,(y.tr = s.tr A y.wait A (Pj A Q/)) \ 


V 


= RA o A 


© V ac'(y- tr ± s - tr A ( P f V £/)) 

V 

V (DL(^ A ( p f v 9?)) 


/ - ((Pf A ac' ^ 0) V ( Q f f A ac' ^ 0)) 
b 


{ Lemma IL.G.7.31] } 

\ 


V (DL'(( p / A Qf> < y- tr = sJr A y- wait > ( p f v Qf)) ) 

{Predicate calculus} 


/ - ((P/ V gf) A ad ± 0) 


= RA o A 


\ 


b 


\ (D ac '(( pt f A Qf) < y-tr = s.tr A y.wait > (Pj V Qj)) ) 


( -i ((Pj V Qf) A ac' 7 ^ 0) 


= RA o PBMH 


{Theorem IT. G. 1.61} 

\ 


b 


V ©L(( p / A Qf) <y- tr = s - tr A y-wait > (Pj V Qf)) ) 

{Lemma IL.4.2.21} 


( PBMH( (Pf V Qf) A ac' ^ 0) 


= RA 


\ 


b 


y PBMH((g)^ c ,((P} A Qf) < y.tr = s.tr A y.wait > (Pf V Qf))) ) 


{Assumption: P and are RAD-healthy and so PBMH-healthy (Theorem T.5.2.21)} 

{Lemmas IL.E.4.41 and IL.E.5.11 and Theorems IT. E.3. II and IT. E.3. 21} 


/ -> ((Pf V Qf) A ac' 7 ^ 0) 


= RA 


\ 


b 


\ PBMH((e)* c ,((P| A Qf) < y.tr = s.tr A y.wait > (Pf V Qf))) ) 

{(DL =>• ac'0, definition of RA1 and Lemma L.G.1.18} 

. (Pf V Qf) 


\ 


= RA I b 

PBMH((?)^,((P| A <3j) < y.tr = s.tr A y.wait > (Pf V Qf))) J 
{Assumption: P and Q are RAD-healthy and so PBMH-healthy (Theorem |T. 5.2.21] )} 

{Lemma IL.E.5.11 and Theorem IT. E.3. 21} 
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/ PBMH (P f f V Q f f ) 


= RA 


\ 


h 


V PBMH(g c ,((^ A Qj) < y.tr = s.tr A y.wait > {Pj V Qj))) / 

{Lemma IL.4.2.21} 


(A v A) 


\ 


= RA o PBMH | h 

(DL >((Pf A Qj) <1 y-tr = s.tr A y.wait > {Pj V Qj)) ) 

{Theorem IT. G. 1.61} 


- (pj v A) 


= RA o A 


\ 


h 


V (DL'((- p / A Qj ) < y- tr = s - tr A y-wait > (pj vq))) / 

{Definition of Drad} 

= P Drad <3 


□ 


Closure 

Theorem T.5.4.35 Provided P and Q are reactive angelic designs and A2- 
healthy, 

A2(P Drad Q) — P d rad <3 


Proof. 


P □ 


RAD 


Q 


( 


= RA o A 


Pf A 


<3f 


{Definition of Drad} 

\ 


h 


V (D!'(( p / A Qj) <1 s.wait A y.tr = s.tr \> {Pj V Qj)) / 


{Assumption: P and <3 are RAD-healthy and Theorem T.5.2.21} 


/ 


= RA o A 


p/a 


Of 




h 


/ (PBMH(P)j A PBMH(<3)|) \ 

<s.wait A y.tr = s.tr> 

\ (PBMH(P)j V PBMH(Q)j) 


{Lemma IL.E.5.11} 


/ 
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( —> Pi A —> Qf 


= RA o A 


\ 


h 


= RA o A 


/ (PBMH(Pj) A PBMH(g))) \ 

, <s.wait A y.tr = s.tr> 

\ \ (PBMH(Pj) V PBMH(Qj)) / ) 

(Theorems IT. E.3. II and IT. E.3. 21} 
/ -l Pj A -i \ 

h 

/ PBMH(PBMH(Pj) A PBMH(Qj)) \ 

, <s.wait A y.tr = s.tr> 

\ PBMH(PBMH(Pj) V PBMH (Qj)) ) 


( —iPfA—iQt 


= RA o A 


h 




PBMH 


/ “i P( A —> Qt 


/ 

(Lemma IL.E.4.91} 

\ 


/ (PBMH(Pj) A PBMH(QJ)) \ \ 

<s.wait A y.tr = s.trt> 

\ (PBMH(Pj) V PBMH(QJ)) ) ) ) 

(Theorem IT.0.7.171} 


RA o A 

h 

( 

( 

/ (PBMH(L)) A PBMH(Q))) \ 

\ 

\ 


A2 

©L 

PBMH 

<s.wait A y.tr = s.tr> 




V 



\ (PBMH(P)) V PBMH(<5))) j 

/ 

/ / 


f -i A2(P) f f A -> A2(Q) f f 


= RA o A 


(Assumption: P and Q are A2-healthy} 

\ 


h 


A2 


/ 


/ (PBMH(Pj) A PBMH(Q))) \ 


PBMH 


= RA o A 


V 


( A2 (pf) A - A2{Q f f 
h 

A2 


\ 


\ 


jj /\ ± UIVI11 ^ Keg f J 

<s.wait A y.tr = s.trt> 

\ (PBMH(Pj) V PBMH(Qj)) J J J 

(Lemma IL.C. 1 .221 } 

i \ 




( 

( 

/ (PBMH(Pj) A PBMH(Q))) \ 

V 


©\ 

ad 

PBMH 

<s.wait A y.tr = s.tr> 



\ 


\ (PBMH {Pj) V PBMH(Q})) j 

A 

/ 


{Predicate calculus and Theorem IT. 4.2. 141 } 
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( A2 (Pf V Q f f ) 


= RA o A 



PBMH 


\ 


/ (PBMH(PJ) A PBMH(Qj)) \ \\ 
<s.wait A y.tr = s.tr> 

V (PBMH {Pj) V PBMH(Qj)) / / / 

{Lemma IL.G.4. 1 (Tl j 


( A2(Pf V $) 


= A2 o RA o A 


\ 


b 


A2 


/ 


/ 


W 


/ (PBMH(P)) A PBMH(Qj)) \ 


PBMH 


V 


\ 


<\s.wait A y.tr = s.tr> 

\ (PBMH(Pj) V PBMH(Qj)) 
{Predicate calculus and Theorem IT. 4.2. 141 } 


/ 


/ - A2(Pl) A - A2(Qj 


\ 


b 


A2 o RA o A 


( 

, 

f (PBMH (Pf) A PBMH (Qj)) \ 

\ 

\ 


A2 

(ef' 

x — sac 

PBMH 

<\s.wait A y.tr = s.tr> 




V 

\ 

1 

K (PBMH(Pj) V PBMH(Qj)) ) 

) 

) ) 


{Lemma IL.C. 1.221 } 


/ -i A2(P)t A -i A2(Q) f f 


= A2 o RA o A 


\ 


b 

A2 


f 

( 

( (PBMH (Pj) A PBMH(Q))) \ 

\ 

\ 

(ef / 

v ac' 

PBMH 

<s.wait A y.tr = s.tr> 



V 

V 

{ (PBMH (Pf) V PBMH(Q})) j 

) 

) ) 


{Assumption: P and Q are A2-healthy} 


^ —i pi a —i Ql 


= A2 o RA o A 


\ 


b 


A2 


= A2 o RA o A 


/ / / (PBMH(Pj) A PBMH(Qj)) \ \ \ 

PBMH it A y.tr = s.trt> 

\ V (PBMH(P}) V PBMH(Qj)) ) ) ) 

{Theorem IT. 0.7. 171} 

\ 


/ -i Pf A -i Qt 


b 


( 

( 

/ (PBMH(Pj) A PBMH(QJ)) \ 

y 


© v , 

PBMH 

<\s.wait A y.tr = s.tr> 



\ 


\ (PBMH (Pj) V PBMH(Qj)) ) 

A 

/ 


{ Lemma IL.E.4.91} 
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^ —i pj A —i qI 


= A2 o RA o A 


\ 


h 


/ PBMH(PBMH(Fj) A PBMH(Qj)) \ 

<s.wait A y.tr = s.tr\> 

\ PBMH(PBMH(Pj) V PBMH(Qj)) ) 

{Theorems IT. E.3. II and IT. E.3. 21} 


^ —i pj A —i Qj 


= A2 o RA o A 


\ 


h 


( (PBMH (Pj) A PBMH(Qj)) \ 
<s.wait A y.tr = s.tr> 

\ (PBMH(P)) V PBMH(<2))) 


{Lemma IL.E.5.11} 


^ —i pi A —i (ft 


= A2 o RA o A 


\ 


h 


/ (PBMH(P)} A PBMH(Q)j) \ 
ef ac , <s.wait A y.tr = s.tr> 

\ \ (PBMH(P)} V PBMH(Q)j) ) 

{Assumption: P and Q are RAD-hcalthy and Theorem T.5.2.21 } 
( —> 1 Pf A —i Qt 


= A2 o RA o A 


\ 


h 


V ©lAiPf ^ Qf) s.wait A y.tr = s.tr > (Pj V Qj)) ) 

(Definition of Urad} 


— A2 (P Drad Q) 


□ 


Properties and Examples 

Lemma L.G.8.15 ( SkipuAn Urad Stopiixo ) Drad 57,oy r{A D = Trad 

Proof. 

(SkipnAD Urad StopiiAii ) Urad Stop-RAV (Result of Example [32|f 

/ RA o A (true h (§f ac ,(y-tr = s.tr A y.wait) A (tf ,(-> y.wait A y.tr = s.tr)) \ 
— Ur AD 
\ Stop-RAD 


{Theorem IT. 5.4.301 } 
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/ true 
b 


= RA o A 


= RA o A 


\ 


(E) y ,{y.tr = s.tr A y.wait ) \ 


[{z} / ad] A z £ ad 




3z • A 

V \ y- wait A ydr= s.tr)) ) 

{Substitution and property of sets} 

/ true \ 

b 


\ 3 z • z.tr = s.tr A z.wait A -> z.wait A z.tr = s.tr A z G ad J 

{Predicate calculus} 

RA o A (true b false) {Definition of Trad} 

T rad 


n 


Lemma L.G.8.16 (SkipnAD U RA d Stop KAI) ) Drad Skip KAI) = Skip nA n 


Proof. 

( Skipn A n Urad ^o^rad) Drad 5^Prad 


{Result of Example [32] and definition of Skipn A D } 
/ RA o A {true b (e ) v ac ,(y.tr = s.tr A y.wait) A (e)^ ,(-i y.wait A y.tr = s.tr)) \ 

1=1 RAD 

\ RA o A (true b (^f ac ,{~ 1 y.wait A y.tr = s.tr)) 


{Theorem IT. G. 8.101 } 
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/ true A true 
b 

/ f (Dac'(^' ir = S -^ r ^ y- wa tt) \ 

A 

(ef ,(-1 y.wait A y.tr = s.tr) 

A 

\ (DL(- y-wait Ay.tr = s.tr ) / 

<s.tr = y.tr A y.wait> 

( ( (ef ac/ (y.tr = s.tr A y.wait) \ \ 
A 

V (DL(^ V- wait Ay.tr = s.tr) / 


\ 


\ 


V 


V 


/ 


/ 


/ 


V ©LC " 1 y- wait Ay.tr = s.tr) 

(Predicate calculus and absorption law} 

/ true \ 

b 

( ( (&) y ,(y.tr = s.tr A y.wait) \ \ 

A 

V ©L(^ y- wait Ay.tr = s.tr) J 
<s.tr = y.tr A y.wait> 


V 

/ true 
b 

/ 


y.wait A y.tr = s.tr) 


( s.tr = y.tr A y.wait \ 

A 

(€) y ac ,(y-tr = s.tr A y.wait) 

A 

\ ©^,(-1 y.wait Ay.tr = s.tr) J 




{Lemma IL.G.7.3TI } 




\ 


\ 


V 


(Dl'( s -tr ^ y- tr A ©^(^ y.wait A y.tr = s.tr)) 

V 

V ©I'h y-wait A (ef ac ,(-> y.wait Ay.tr = s.tr)) J 




{Variable renaming} 
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/ true 
b 

/ ( s.tr = y.tr A y.wait 

A 

(e y ,(z.tr = s.tr A z.wait) 
A 


\ 


V 


\ 




V ©~ c © z - wa tt A z.tr = s.tr ) / 


V 


(&) y ,(s.tr 7 ^ y.tr A (e)* ,(-> z.wait A z.tr = s.tr)) 

V 

V ©L© V-wait A ©L© z.wait Az.tr = s.tr)) ) 


{Lemma IL.G.7.371 } 


/ true 
b 

/ 


\ 


/ s.tr = y.tr A y.wait \ 
A 

y.tr = s.tr A y.wait 
A 

\ -i y.wait A y.tr = s.tr j 


\ 


V 


{Predicate calculus} 


/ 


\ 


(e©(s.tr 7 ^ y.tr A -< y.wait A y.tr = s.tr) 

V 

V ©l© V-wait A -i y.wait A y.tr = s.tr) ) 

( true 
b 

/ ©1 ,{f alse ) \ 

V 

© lM alse ) 

V 

V ©"© y-wait A -i y.wait A y.tr = s.tr) ) 

{Predicate calculus and definition of (e)^ ,} 


/ 


\ 


/ trite 
= b 

\ ©1© y-wait Ay.tr = s.tr) J 
= SkipnAG 


{Definition of SkipnAO } 
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Appendix H 
Angelic Processes 

H.l Healthiness Conditions 

H.1.1 II A p 

Lemma L.H.1.1 RA2(Hap) = JTap 

Proof. 

{Definition of Hap} 
{Definition of HI} 
{Theorem IT. 5.2. 71} 
{Theorem IT. 5.2. 61} 
{Lemma IL.G.2.41} 
{Lemma IL.G.2.31} 
{Definition of HI and Hap} 


RA2(H A p) 

= R2 o HI (ok' A s G ad ) 

= R2(-< ok V (ok' A s G ad)) 

= R2(-< ok) V RA2 (ok' A s G ac') 

= R2(-< o/j) V (RA2(ofc') A RA2(s G ac')) 
— -i ok\/ (ok' A RA2(s G ac')) 

= -i ok \/ (ok' A s G ac') 

= Hap 


□ 


Lemma L.H.1.2 RAI(Hap) = Hrad 

Proof. 

{Definition of Hap} 
{Definition of HI and predicate calculus} 

{Theorem IT. 5.2. 31} 
{Lemma IL.G. 1.161 } 


RAI(Hap) 

= RA1 o HI (ok 1 A s G ad) 

= RAl(-< ok V (ok' A s G ac')) 

= RAl(-i ok) V RAl(ofc' A s G ac') 
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= RAl(-i ok) V ( ok' A RAl(s G ac')) 
= RAl(-i ok) V (ok' A s E ac') 

= TTrad 


{Lemma IL.G.1.141 } 
{Definition of Hrad} 


□ 


H.1.2 RA3 A p 

Theorem T.6.2.1 RA3ap ° RA3ap(-P) = RA3ap(P) 

Proof. 


RA3ap ° RA3ap(T) {Definition of RA3ap} 

= RA3ap(H1(o£/ A s E ac') < s.wait > P) {Definition of RA3ap} 

= HI (ok' A s E ac') <3 s.wait > (HI (ok' A s E ac') < s.wait > P ) 

{Property of conditional} 

= HI (ok' A s E ac') <3 s.wait > P {Definition of RA3 A p} 

= RA3ap(P) 

□ 


Theorem T.6.2.2 PE RA3 ap (P) E RA3 ap (<5) 

Proof. 


RA3 A p (Q) 

= RA3ap(Q A P) 

— RA3ap(Q) A RA3ap(P) 
□ RA3 A p(P) 


{Assumption: P E Q = [Q => P]} 
{Theorem IT. 6.2. 31} 
{Predicate calculus} 


□ 

Theorem T.6.2.3 RA3 A p(P A Q) = RA3 A p(P) A RA3 A p(<2) 

Proof. 

RA3ap(P A Q) 

= H ap <3 s.wait > (P A Q) 

= (TTap A IT A p) <3 s.wait > (P A Q) 


{Definition of RA3ap} 
{Predicate calculus} 
{Property of conditional} 
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= (LI ap < s.wait > P) A (Hap <1 s.wait > Q ) {Definition of RA3 ap } 

= RA3ap(P) A RA3 A p(<5) 

□ 

Theorem T.6.2.4 RA3 A p(P V Q) = RA3 A p(P) V RA3 A p(<5) 

Proof. 

RA3ap(-P V Q) {Definition of RA3ap} 

= ITap < s.wait > (P V Q) {Predicate calculus} 

= (Hap V Hap) < s.wait > (P V <J) {Property of conditional} 

= (Hap < s.wait > P) V (H A p < s.wait > Q ) {Definition of RA3 A p} 

= RA3ap(P) V RA3ap(Q) 


□ 


Theorem T.6.2.5 Provided P and Q are RA3 A p -healthy, 
RA3 A p(P ,'a Q) = P ; a Q 


Proof. 


P\aQ 

= RA3 A p(P) :_4 <5 
= (H A p < s.wait > P) ] A Q 
= (H A p <?) < s.waH > (P ] A Q ) 


{Assumption: P is RA3 A p-healthy} 
{Definition of RA3 A p} 
{Lemmas L.F.1.1 |L.F.1.4| and L.F.1.5 } 
{Definition of H A p} 
{Definition of HI} 


= (HI (ok' A s G ac') ] A Q ) < s.wait > (P ] A Q) 

= ((ok (ok' A s G ac')) <5) < s.wait > (P ] A Q ) 

{Predicate calculus and Lemmas IL .F. 1.1 1 and IL .F. 1 .41} 

= (ok =>- ((ok' A s G ac') j A Q)) < s.wait > (P ] A Q ) 

{Lemmas IL.F.l.ll and IL.F.1.51} 

= (ok =t (ofc' A (s G ac' Q))) < s.wait > (P ] A Q) {Lemma IL.F.6.21} 

= (ok (ok' A Q)) < s.wait > (P ] A Q ) {Assumption: Q is RA3AP-healthy} 
= (ok => (ok 1 A RA3ap(£?))) <1 s.wait > (P ; A Q ) {Definition of RA3 A p} 

= (ofc =>- (ofc' A (Hap < s.wait > <J))) < s.wait > (P ', A Q ) 

{Property of conditional} 
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= (ok =>■ (ok' A Hap)) < s.wait > (P : A Q ) {Definition of H AP } 

= (ok =>- (ok' A Hl(oA/ A s G ac'))) < s.wait t> (P j A Q ) {Definition of HI} 

= (ofc =>- (oA/ A ok =$■ (ok' A s G ac'))) < s.wait \> (P ] A Q ) {Predicate calculus} 
= (ok (ok' A s G ac')) < s.wait > (P ] A Q ) {Definition of HI and H AP } 

= Eap <1 s.wait > (P ' lA Q ) {Definition of RA3 ap } 

= RA3 ap (P ’ a Q) 


□ 


Theorem T.6.2.6 RA3 ap o PBMH(P) = PBMH o RA3 ap (P) 


Proof. 


RA3 ap o PBMH(P) 

= Hl(oP A s G ac') < s.wait > PBMH(P) 

= HI (ok' A PBMH(s G ac')) < s.wait > PBMH(P) 
= HI o PBMHjofc' A s G ac) < s.wait > PBMH(P) 
= PBMH o Hl(oP A s G ac') < s.wait > PBMH(P) 
= PBMH(Hl(ol-' A s G ac') <\ s.wait > P) 

= PBMH o RA3 ap (P) 


{Definition of RA3 ap } 
{Lemma IL.E.4.31} 
{Lemma IL.E.4.81} 
{Theorem IT. E.6. 21} 
{Lemma IL.E.4.91} 
{Definition of RA3 ap } 


□ 


Theorem T.6.2.7 RA2 o RA3 ap (P) = RA3 ap o RA2(P) 


Proof. 


RA2 o RA3 ap (P) 

= RA2(IT ap < s.wait > P) 

= RA2(IT ap ) < s.wait > RA2(P) 
= H ap < s.wait > RA2(P) 

= RA3 ap o RA2(P) 


{Definition of RA3 ap } 


{Lemma L.G.2.6 and s.wait is RA2-healthy} 

{Lemma IL.H.l.ll} 
{Definition of RA3 ap } 


□ 


Lemma L.6.2.1 PBMH o RA3 ap o PBMH(P) = RA3 ap o PBMH(P) 
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Proof. 

PBMH o RA3 ap o PBMH(P) 

= PBMH o PBMH o RA3 ap (P) 
= PBMH o RA3 ap (P) 

= RA3 ap o PBMH(P) 


{Theorem IT. 6.2. 61} 
{Theorem IT. E.2. 11} 
{Theorem IT. 6.2. 61} 


□ 


Theorem T.H.1.1 RA1 o RA3 ap (P) 

Proof. 

RA1 o RA3 ap (P) 

= RA1(IT ap < s.wait > P) 

= RA1(IT ap ) <\ s.wait t> RA1(P) 

= Irad <1 s.wait \> RA1(P) 

= RA3 o RA1(P) 


RA3 o RA1(P) 

{Definition of RA3 ap } 
{Lemma IL.G. 1.151 } 
{Lemma IL.H.1.21} 
{Definition of RA3} 


□ 


Properties 
Lemma L.H.1.3 

RA3 ap o H1(P) = Hl((o£/ A s e ac') <\ s.wait > P) 

Proof. 

RA3 ap o H1(P) {Definition of RA3 ap } 

= JT ap < s.wait > H1(P) {Definition of H AP } 

= HI (ok J A s E ac') <3 s.wait > H1(P) {Lemma IL.A.2.11} 

= Hi {{oh! A s e ac') < s.wait > P) 


□ 


Lemma L.H.1.4 


RA3 ap (P h Q) = ( true < s.wait > P h s G ac' < s.wait t> Q) 
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Proof. 


RA3 ap (P h Q) 


{Definition of design} 
{Predicate calculus} 
{Predicate calculus} 
{Definition of HI} 


= RA3 A p(( of; A P) (Q A ok')) 

= RA3 ap (-i of V iFV (Q A ok 1 )) 
= RA3 A p( of; => (P (Q A ok'))) 
= RA3 A p o H1(P =*► (Q A of;')) 


{Lemma IL.H.1.31} 


= Hl((of;' A s G ac') <3 s.wait > (P (Q A of;'))) 


{Definition of conditional} 


= HI ((s.wm't A of;' A s G ac') V (-< s.wait A (P^ (Q A ok')))) 

{Predicate calculus} 

= Hl((s .wait A of;' A s G ac') V (-> s.wait A -> P) V (-> s.wait A Q A ok')) 

{Predicate calculus} 

= HI ((of;' A ((s .wait A s G ac') V (-> s.wait A Q))) V (-> s.wait A -> P)) 

{Property of conditional} 

= HI ((of;' A (s G ac' < s.wait > Q)) V ( false <3 s.wait > -i P)) 

{Predicate calculus and definition of HI} 

= (of; A -i ( false <3 s.wait > -> P)) =>- (of;' A (s G ac' <3 s.wait > Q)) 

{Definition of design} 

= (-■ ( false <3 s.wait > -> P) h (s G ac' <3 s.wait > Q)) {Lemma IL.A. 1.31} 

= (true <3 s.wait > P h s G ac' <3 s.wait \> Q) 


□ 


H.1.3 AP 


Main Results 


Theorem T.6.2.8 AP(P) = RA3ap ° RA2 o A(-> Pj h Pj) 


Proof. 


AP (P) 

= RA3 A p o RA2 o A o HI o CSPA2(P) 
= RA3ap ° RA2 o A o HI o H2(P) 

= RA3 A p o RA2 oA(^P f h P l ) 


{Definition of AP} 
{Definition of CSPA2} 
{Property of designs} 


{Theorem IT. 6.2. 71} 




{Lemma IL.5.2.11} 


o 
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= RA2 o RA3 ap oA(n^h 
= RA2 o RA3 A p o A((-i P f b P l ) f ) 
= RA2 o RA3 ap o A(~ i Pf b Pf) 

= RA3 ap o RA2 o A(~ i Pj b Pj) 


{Lemma IL.C.1.51} 
{Substitution} 
{Theorem IT. 6.2. 71} 


□ 


Theorem T.6.2.9 


AP(P) 


( true < s.wait > -> RA2 o PBMH (P f f ) \ 

b 

\ s E ac' < s.wait > RA2 o RA1 o PBMH(ij) J 


Proof. 

AP(P) {Theorem IT. 6.2. 81 } 

= RA3 ap o RA2 o A(-i Pj b Pj) {Definition of A} 

= RA3 ap o RA2(^ PBMH(P/) b PBMH(Pj) A ad ± 0 ) {Lemma IOL2T51 } 
= RA3 ap (^ RA2 o PBMH(P/) b RA2(PBMH(P / t ) A ac ± 0)) 

{Lemma IL.G.2.91} 

= RA3 ap (- RA2 o PBMH(P/) b RA2 o RA1 o PBMH (Pj)) 

{Lemma IL.H.1.41} 

/ true <\ s.wait > -> RA2 o PBMH(Pj) N ' 

= b 

\ s E ac' < s.wait > RA2 o RAl o PBMH(Pj) J 

□ 


Theorem T.H.1.2 AP o AP(P) = P 


Proof. 


AP o AP(P) 
= RA3 ap o 


{Definition of AP (Theorem T.6.2.8)} 


RA2 o A(-i AP (P) s f b AP(P)}) 


{Lemmas IL.H.1.61 and IL.H.1.71} 
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— RA3 ap 


= RA3ap 


— RA3 ap 


= RA3 ap 


— RA3 ap 


= RA3 ap 


= RA3 ap 


— RA3 ap 


/ (ok => RA2 o PBMH(Ff)) \ 


RA2 o A 


h 


(.ok A - RA2 o PBMH(Pf)) \ 


V V RA2 ° RA1 ° PBMH (Pj) / / 


(ok A ^ RA2 o PBMH (pf 


o RA2 o A 


{Predicate calculus} 

\ 


h 


(ok A - RA2 o PBMH(Pf)) \ 


\ V RA2 ° RA1 ° PBMH(Pj) / / 

{Definition of design and predicate calculus} 

/ ok A -i RA2 o PBMH(Pj) \ 
o RA2 o A |- 

\ RA2 o RA1 o PBMH(P}) / 

{Definition of design and predicate calculus} 

RA2 o PBMH(Pj) \ 

o RA2 o A | h 

RA2 o RA1 o PBMH(P}) y 

/ RA2 o PBMH (P f f ) \ 


{Definition of A} 


o RA2 o AO o PBMH 


h 


V RA2 O RAl O PBMH(Pj) / 


{Lemma IL. 4.2.21} 


/ PBMH o RA2 o PBMH(Pj) \ 


o RA2 o AO 


h 


o RA2 o AO 


\ PBMH o RA2 o RAl o PBMH(Pj) 

{Theorems IT. 5.2. 51 and IT. 5.2. Ill } 
( RA2 o PBMH (Pj) \ 

{Theorem IT. 4.2. 31} 


h 


\ RA2 O RAl O PBMH(P}) / 


( RA2 o PBMH(P| 


RA2 


\ 


h 


\ RA2 o RAl o PBMH(P|) A ac' ^ 0 / 

{Theorem IT.5.2.101 and Lemma IL.G.1.61} 
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— RA3 ap 


= RA3ap 


= RA3ap 


— RA3 A p 

= RA3ap 
= RA3 A p 
= RA3 A p 

= AP(P) 


O RA2 

o RA2 

o RA2 

o RA2 

o RA2 
o RA2 
o RA2 


/ RA2 o PBMH (Fj) \ 

h 

\ RA2 o RA1 o PBMH(Pj) ) 

( RA2 o PBMH(Pj) \ 

h 

\ RA2(PBMH(F|) A ad ± 0) / 
/ -i PBMH(Pj) \ 


{Lemma IL.G.2.91} 


{Lemma IL.G.2.151 } 


o RA2 h 


PBMH (Pj) A ad ± 0 / 


/ -i PBMH(P( 


\ 


h 


\ PBMH(Pj) A ac' ^ 0 / 
o A0(-- PBMH(P/) h PBMH(Pj)) 

O AO O PBMH( 


d p p‘t) 


{Theorem IT. G.2.11} 


{Theorem IT. 4.2. 31} 


{Lemma IL.4.2.21} 
{Definition of A} 


A( 


p’f p p ‘ f ) 


{Definition of AP (Theorem T.6.2.8)} 


□ 


Theorem T.H.1.3 PBMH o AP(P) = AP(P) 


Proof. 


PBMH o AP(P) {Definition of AP} 

= PBMH o RA3 A p o RA2 oAoHlo CSPA2(P) {Definition of A} 

= PBMH o RA3ap ° RA2 o AO o A1 o HI o CSPA2(P) 

{Theorem IT. 4.2. 61} 

= PBMH o RA3ap ° RA2 o AO o A1 o A1 o HI o CSPA2(P) 

{Theorem IT. 4.2. 81} 

= PBMH o RA3ap ° RA2 o A1 o AO o A1 o HI o CSPA2(P) 

{A1 is PBMH} 

= PBMH o RA3 A p o RA2 o PBMH 0 AO 0 AI 0 HI 0 CSPA2(P) 

{Theorem IT. 5.2.Ill } 


= PBMH o RA3 A p o PBMH o RA2 o PBMH 0 AO 0 AI 0 HI 0 CSPA2(P) 

{Theorems IT. E.2.II and IT. G.3. 71} 
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= RA3 ap o PBMH o RA2 o PBMH 0 AO 0 AI 0 HI 0 CSPA2(P) 

{Theorem IT. 5.2. Ill } 

= RA3 ap o RA2 o PBMH 0 AO 0 AI 0 HI 0 CSPA2(P) (A1 is PBMH} 
= RA3 ap o RA2 0 AI 0 AO 0 AI 0 HI 0 CSPA2(P) 

{Theorems IT. 4.2. 81 and IT. 4.2. 61} 

= RA3 ap o RA2 o AO o A1 o HI o CSPA2(P) {Definition of A} 

= RA3 ap o RA2 o A o HI o CSPA2(P) {Definition of AP} 

= AP (P) 


□ 


Theorem T.H.1.4 

RA3 ap o RA2 o A(P h Q) 

( true <\ s.uiait t> -> RA2 o PBMH(-> P) ^ 

h 

s G ad <3 s.wait > RA2 o RA1 o PBMH( Q) ) 

Proof. 

RA3 ap o RA2 o A (P b Q) {Definition of A} 

= RA3 ap o RA2(^ PBMH(P) b PBMH(<5) A ac' ± 0) (Lemma PTADT 

= RA3 ap (^ RA2 o PBMH(P) b RA2(PBMH(<2) A ad d 0)) 

{Lemma IL.G.2.91} 

= RA3 ap (^ RA2 o PBMH(P) b RA2 o RA1 o PBMH(Q)) 

{Lemma IL.H.1.41} 

( true <3 s.wait > -> RA2 o PBMH(P) \ 

= b 

\ s G ac' <3 s.wait > RA2 o RAl o PBMH( Q) J 

□ 


Lemma L.H.1.5 


ap(p); = 


/ (ok A RA2 o PBMH (P f f )) \ 
\ (RA2 o RAl o PBMH(Pj) A o) ) 



















ILL HEALTHLNESS CONDLTLONS 


757 


Proof. 


API 


( true < s.wait \> -> RA2 o PBMH(P[) 


\ 


h 


\ s G ad <3 s.wait > RA2 o RA1 o PBMH(P|) ) 

J f 

/ (ok A (true <3 s.wait > -> RA2 o PBMH(P())) 


{Theorem IT. 6.2. 91} 
{Definition of design} 

\° 


\ ((s G ac! <3 s.wait > RA2 o RA1 o PBMH(Pj)) A oA:') / 
/ (ofc A (true <3 s.wait > -> RA2 o PBMH(P()))? \ 


{Substitution} 

{Substitution} 


\ ((s e ac' <3 s.wait > RA2 o RA1 o PBMH(Pj))} A o') ) 


( 


( 


ok A 


V 


/ true \ 

<(s © {wait i— j- false}) .wait> 

\ (RA2 o PBMH(Pf)); 


\ 




\ 


( / (s 6 ac')} ^ 

<(s© {wait i—> false}).wait> 

\ \ (RA2 o RAl o PBMH(P}))5 


A o 




( ( 


ok A 


V 


/ true \ \ 

<false\> 

\ (RA2 o PBMH(P())} ) ) 


{Value of record component wait} 

\ 


( ( (s 6 ac!) 
<\false\> 


\ 


\ 


A o 


\ (RA2 o RAl o PBMH(Pj))j 


{Property of conditional} 


(ok A (RA2 o PBMH(P/)) /J 


\ 


(((RA2 o RAl o PBMH(Pf))?) A o) 


( (ok A -i RA2(PBMH(P/)})) 


\ 


{Lemma IL.G.2.141 } 


{Lemma IL.G. 1.241 } 


\ ((RA2(RA1 o PBMH(Pj))}) A o) ) 
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f (ok A -■ RA2(PBMH(Pj)})) \ 

V (RA2 O RAl(PBMH(F / i );) A o) 

f (ok A RA2 o PBMH((P/);)) \ 

=> 

\ (RA2 o RA1 o PBMH((P / t ) / °) A o) ) 
( (ok A -i RA2 o PBMH(P/)) \ 

\ (RA2 O RA1 O PBMH(Pj) A o) 


{Lemma IL.E.5.11} 


{Property of substitution} 


n 


Lemma L.H.1.6 AP(P)^ = ok =>- RA2 o PBMH(Pj) 

Proof. 


AP (P) f f 

/ (ok A -i RA2 o PBMH(Pf)) \ 

= => 

\ (RA2 o RA1 o PBMH(Pj) A false ) / 
= -. okV RA2 o PBMH(Pj) 

= ok =>• RA2 o PBMH(P/) 


{Lemma IL.H.1.51} 


{Predicate calculus} 


{Predicate calculus} 


□ 


Lemma L.H.1.7 

AP (P)j 


(ok A RA2 o PBMH(Pf)) =► RA2 o RA1 o PBMH(P / f ) 

Proof. 


AP (P)j 

( (ok A - RA2 o PBMH (Pj)) \ 


{Lemma IL.H.1.51} 


{Predicate calculus} 


y (RA2 o RAl o PBMH(Pj) A true ) / 

= (ok A RA2 o PBMH(Pf)) => RA2 o RAl o PBMH(Pj) 
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□ 


Lemma L.H.1.8 

RA2 o PBMH(AP(P)j) = AP(P)} 


Proof. 


ap (py f 


{Lemma IL.H.1.71} 


= (ok A RA2 o PBMH(Pf)) =► RA2 o RA1 o PBMH(Pj) 

{Predicate calculus} 

= -. ok V RA2 o PBMH(Pj) V RA2 o RA1 o PBMHfPj) {Lemma IL.G.2.41} 

= RA2(-< ok) V RA2 o PBMH(P/) V RA2 o RA1 o PBMH(P/) 

{Theorems IT. G.2. II and IT. 5.2.71} 

= RA2(-< ok V RA2 o PBMH(P/) V RA2 o RAl o PBMH(Pj)) 

{Lemma IL.E.4.51} 

= RA2(PBMH(-i ok) V RA2 o PBMH(Pf) V RA2 o RAl o PBMH(Pf)) 


= RA2 


( PBMH(-< ok) 

V 

PBMH o RA2 o PBMH(Pj) 

V 

V PBMH O RA2 O RAl o PBMH (Pf) ) 
( -i ok \ 


{Theorems IT. 5.2. 51 and IT. 5.2. Ill } 


{Theorem IT. E.2. 21} 


= RA2 o PBMH 


= RA2 o PBMH 


V 

RA2 o PBMH(Pj) 

V 

V RA2 O RAl O PBMH(Pj) ) 

( (ok A - RA2 o PBMH(Pf)) \ 

\ RA2 o RAl o PBMH(PS) 


{Predicate calculus} 


{Lemma IL.H.1.71} 


= RA2 o PBMH(AP(P)j 


□ 
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Lemma L.H.1.9 

AP (true b Pj) = (true b s G ac' <3 s.wait > RA2 o RA1 o PBMH(Pj)) 

Proof. 

AP (trite b Pj) 

( true <3 s.wait > -> RA2 o PBMH(/oIse) ^ 

= b 

^ s e sc' <1 s.wait > RA2 o RAl o PBMH(Pj) / 

/ true < s.wait \> -< RA2(/a/se) \ 

= b 

^ s G ac' < s.wait > RA2 o RAl o PBMH(Pj) / 

/ true < s.wait >-i false \ 

= b 

^ s G ac' < s.wait > RA2 o RAl o PBMH(Pj) / 

{Predicate calculus and 
= {true b s G ac' <\ s.wait \> RA2 o RAl o PBMH(Pj)) 

□ 


{Lemma IL.H.l.lOl} 
{Lemma IL.E.4.21} 


{Lemma IL.G.7.211 } 


property of conditional} 


Lemma L.H.1.10 

AP(-i Pj b Pj) 

/ true < s.wait > -> RA2 o PBMH(Pj) N ' 

b 

^ s G ac' < s.wait > RA2 o RAl o PBMH(Pj) / 

Proof. 

{Lemma IL.H.l.llI } 
{Theorem IT. H. 1.11} 


AP(-< Pj b Pj) 

= RA3ap ° RA2 o A(-i Pj b P^) 

( true < s.wait > -> RA2 o PBMH(Pj) ^ 

= b 

^ s G ac' <\ s.wait > RA2 o RAl o PBMH(Pj) / 


□ 
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Lemma L.H.1.11 AP(-> Pj b Pj ) = RA3ap ° RA2 o A(-> Pj b Pj ) 

Proof. 

AP(-> Pj b Pj) {Theorem IT. 6.2. 81 } 

= RA3 A p o RA2 o A(-i (-. P f f b Pj) f f b (-. P f f b Pj)}) {Lemma ITTA2T41 } 

= RA3ap ° RA2 o A(~i Pj b Pj) 

D 

H.1.4 NDap n 

Theorem T.6.2.10 Provided P is AP -healthy. 

Choice^v U P = (true b s £ ac' <\ s.uiait t> RA2 o RA1 o PBMH(Pj)) 


Proof. 


Choice^p U P {Assumption: P is AP-healthy} 

= Choice^p LI AP(P) {Definition of Choicexp (Lemma L.H.3.3)} 

( true < s.wait > -> RA2 o PBMH(/afee) \ 


b 


UAP(F) 


\ s £ ad <3 s.wait t> RA2 o RA1 o PBMH(irue) / 

{Lemmas IL.E.4.21 and I L. 0.2.41 } 

/ true < s.wait > -> false \ 


b 


UAP(F) 


\ s £ ac' <3 s.wait > RA2 o RA1 o PBMH(irue) ) 

{Predicate calculus and property of conditional} 

/ true \ 

b 

\ s £ ac' <\ s.wait > RA2 o RA1 o PBMH(true) / 


UAP(F) 

{Theorem IT. 5.2.101 } 


\ 


UAP(F) 


/ true 
b 

\ s £ ac' <\ s.wait > RAl o RA2 o PBMH(true) ) 

{Lemmas IL.E.4.11 and IL. 0.2.41} 
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(true b s E ad < s.wait > RA1 (true)) U AP(P) 

{Definition of AP (Theorem T.6.2.9)} 

( (true b s E ac' < s.wait > RAl(trae)) \ 

U 

true < s.wait > -> RA2 o PBMH(Pj) 
b 

\ \ s E ac' < s.wait > RA2 o RAl o PBMH(Pj) ) 

{Definition of U for designs} 


7 


/ (true V (true < s.wait > -i RA2 o PBMH(Pr))) 


\ 


b 


/ (true => s E ac' <1 s.wait > RAl(frue)) 




A 


/ (true <3 s.wait > -> RA2 o PBMH(P()) \ 


y y y s e ac' <3 s.wait > RA2 o RAl o PBMH(b|) J / J 


( true 
b 

( (s E ac' < s.wait \> RAl (true)) 


{Predicate calculus} 

\ 




A 


/ (true <3 s.wait > —> RA2 o PBMH(P()) \ 


y \ y s E ac' <3 s.wait t> RA2 o RAl o PBMH(Fj) 7/7 


/ true 
b 

( (s E ac' <] s.wait \> RAl(fm)) 
A 


{Property of conditional} 

\ 


\ 


\ 


/ (true => s E ac') 

<s.waitt> 

\ (-. RA2 o PBMH(bf) =>• RA2 o RAl o PBMH(Ph) ) 


7 


7 


{Predicate calculus} 
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/ true \ 

b 

( (s G ac' < s.wait > RAl (true)) \ 

A 

^ (s G ac') ^ 

<s.wait> 

\ \ \ (-1 RA2 o PBMH(Pj) => RA2 o RA1 o PBMH(Pj)) ) ) ) 

{Predicate calculus and property of conditional} 

/ true \ 

b 

/ s G ac' \ 

<s.waitt> 

( RAl (true) ^ 

A 

V V \ (-i RA2 o PBMH(Pr) => RA2 o RAl o PBMH(Pf)) ) ) 




( true 
b 

/ s G ac' 
<s.waitt> 
RAl (true) 
A 


{Predicate calculus} 

\ 


V 


\ 


\ 


V V (ok A - RA2 O PBMH(Pf)) => RA2 o RAl o PBMH(P') ) 






\ 


{Lemma IL.H.1.71} 
{Lemma IL.H.1.81} 

\ 


/ true 
b 

\ s G ac' <3 s.uiait t> (RAl (true) A AP (P)j) ) 

true 
b 

s G ac' < s.wait > (RAl (true) A RA2 o PBMH(AP(P)|)) ) 

{Lemmas IL.G.l.lOl and IL.G.1.331 and Theorem IT. 5. 2.101 } 

/ true \ 

= b 

\ s E ac' < s.wait > RA2 o RAl o PBMH(AP(P)j-) J 

{Assumption: P is AP-healthy} 
= (true b s G ac' < s.wait > RA2 o RAl o PBMH(Pj)) 
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□ 


H.2 Relationship with Reactive Angelic Designs 


H.2.1 From RAD to AP 


Theorem T.6.3.1 


HI o RAD(P) = 


/ true <3 s.wait > -> RAl o RA2 o PBMH(P() \ 


h 


\ s E ac' < s.wait > RAl o RA2 o PBMH(Pj) J 


Proof. 


HI o RAD(P) 

= HI o RA o A(-. Pj h Pj) 

= HI o RA o PBMH(-< Pj h Pf) 

= HI o RA(-i PBMH(P/) h PBMH(Py)) 

= HI o RAl o RA2 o RA3(-< PBMH(P/) h PBMH(P{)) 


= HI o RAl o RA3 o RA2(^ PBMH(P/) h PBMH(P / < )) 


{Definition of RAD} 
{Theorem IT. G. 1.61} 
{Lemma IL.4.2.21} 
{Definition of RA} 

{Theorem IT. 5.2. 171 } 

{Lemma IL.G.2.151 } 


= HI o RAl o RA3(- RA2 o PBMH(P/) h RA2 o PBMH (Pj)) 


{Lemma IL.G.4.11} 


/ true <3 s.wait > -i RA2 o PBMH(Pj) ^ 


= HI o RAl 


h 


^ s E ac! <3 s.wait > RA2 o PBMH(Lj) ) 


{Definition of design} 


= HI o RAl 


= HI o RAl 


( (ok A (true <3 s.wait > -> RA2 o PBMH (Pf))) ^ 

=> 

\ ((s E ac' <3 s.wait > RA2 o PBMH(Pj)) A ok') ) 

{Predicate calculus and Lemma [L. A. 1.31} 

( -i okM (false < s.wait > RA2 o PBMH(fi|)) ^ 

V 

^ ((s G ac 1 <3 s.wait > RA2 o PBMH (Pj)) A ok') ) 

{Theorem IT. 5.2.31} 
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= HI 


= HI 


= HI 


/ RAl(-i ok) V RA1 (false < s.wait \> RA2 o PBMH(P|)) ^ 

V 

^ RAl((s G ad < s.wait t> RA2 o PBMH(Fj)) A ok') J 

{Lemma IL.G. 1.161 } 

/ RAl(-< ok) \ 

V 

RA1 (false <3 s.wait t> RA2 o PBMH(Pj)) 

V 

^ (RAl(s G ad <3 s.wait \> RA2 o PBMH (Pj)) A ok') J 

{Lemma IL.G. 1.151 } 

/ RAl(-i ok) \ 

V 

(RA1 (false) <3 s.wait > RAl o RA2 o PBMH(Pj)) 

V 

V ((Ml(i G ad) <3 s.wait > RAl o RA2 o PBMH(Pj)) A ok') J 


{Lemmas IL.G. 1.91 and IL.G. 1.141 } 

/ RAl(-< ok) \ 

V 


= HI 


(false <3 s.wait > RAl o RA2 o PBMH(Pj)) 


V 

^ ((s G ad <3 s.wait > RAl o RA2 o PBMH(Pj)) A oA:') / 

{Lemma IL.G. 1.171 } 

/ (-■ ok A RAl (true)) \ 


V 


= HI 


(false <3 s.wait > RAl o RA2 o PBMH(Pj)) 


V 

^ ((s G ad <3 s.wait > RAl o RA2 o PBMH(Pj)) A oG) / 

{Definition of HI} 


( -i ok ^ 

V 


(-i ok A RAl(fm)) 

V 

(false <3 s.wait > RAl o RA2 o PBMH(P|)) 

V 

^ ((s G ac' <3 s.wait > RAl o RA2 o PBMH(Pj)) A ofc') / 

{Predicate calculus: absorption law} 
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( -i ok ^ 

V 

( false <3 s.wait > RA1 o RA2 o PBMH(Pj)) 

V 

^ ((s G ad <3 s.wait > RA1 o RA2 o PBMH(Pj)) A ok 1 ) J 

{Predicate calculus and Lemma lL. A. 1 .31} 
( (ok A ( true <3 s.wait > -> RA1 o RA2 o PBMH(Pj))) ^ 

^ ((s G ad <3 s.wait > RA1 o RA2 o PBMH(Pj)) A ok') ) 

{Definition of design} 

( true <3 s.wait > -> RAl o RA2 o PBMH(Pj)) N ' 
h 

^ s G ad <3 s.wait > RAl o RA2 o PBMH(Pj)) J 

□ 


Theorem T.H.2.1 A o HI o RAD(P) = HI o RAD(P) 


Proof. 

HI o RAD(P) 

( true < s.wait > -> RAl o RA2 o PBMH(Pj) ^ 
= h 

^ s G ad <3 s.wait > RAl o RA2 o PBMH(fj) J 


{Theorem IT. 6 .3. 11} 


{Lemmas L.G.1.6 and L.G.1.7 and predicate calculus} 


/ true <3 s.wait > -> RAl o RA2 o PBMH(?f 




h 


\ (s G ad <3 s.wait > RAl o RA2 o PBMH(Pj)) A ad 7 ^ 0 / 

{Theorems IT. 5.2. 51 and IT. 5. 2 . Ill } 


/ true <3 s.wait > -> PBMH o RAl o RA2 o PBMH(fi| 


\ 


h 


\ (s G ad <3 s.wait > PBMH o RAl o RA2 o PBMH(Pj)) A ad ^ 0 / 

{Predicate calculus and property of conditional} 


/ -i (false <3 s.wait > PBMH o RAl o RA2 o PBMH(fi!)) 


\ 


h 


\ (s G ad <3 s.wait > PBMH o RAl o RA2 o PBMH(Pj)) A ad 0 / 

{Lemmas L.E.4.2 HkHU and |L.E.4.9|f 
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/ PBMH(/aIse < s.wait > RA1 o RA2 o PBMH(Pf)) \ 

b 

^ PBMH(s G ac' <3 s.wait > RA1 o RA2 o PBMH(Pj)) A ac' ^ 0 J 

{Definition of A} 


/ -i (false <3 s.wait > RA1 o RA2 o PBMH(P^)) ^ 
h 

\ s G ac' <3 s.wait > RA1 o RA2 o PBMH(Pj) / 

{Property of conditional} 


/ (true <3 s.wait > -i RA1 o RA2 o PBMH(P{)) \ 


= A 


b 


{Theorem IT. 6.3. 11} 


^ s G ac' <3 s.wait > RAl o RA2 o PBMHfPf) / 


= A o HI o RAD(P) 


a 


Lemma L.6.3.1 

HI o RA o A (true b Pj) 

(true b s E ac' <\ s.wait > RA2 o RAl o PBMH(Pj)) 


Proof. 


HI o RA o A (true b Pj) 

= AP(n RAl o PBMH(/afee) b Pj) 

= AP(-< false b Pj) 

= AP (true b Pj) 

( true <] s.wait > -> RA2 o PBMH(/a/se) ^ 

= b 

\ s E ac' < s.wait > RA2 o RAl o PBMH(Pj) J 

( true <] s.wait \> -> RA2 (false) \ 

= b 

\ s E ac' < s.wait > RA2 o RAl o PBMH(Pj) / 


{Theorem IT.3.2.201 and Lemma IL.H.2.41 } 
{Lemmas IL.E.1.21 and IL.G.1.91} 
{Predicate calculus} 


{Theorem IT. 6.2. 91} 
{Lemma IL.E.4.51} 


{Lemma L.G.2.4 and predicate calculus} 
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/ true <\ s.wait \> true \ 

= b 

^ s G ac' <3 s.wait > RA2 o RAl o PBMH(Pj) ) 

{Property of conditional} 

= (true b s G ac <3 s.wait \> RA2 o RAl o PBMH(Pj)) 

□ 

Lemma L.H.2.1 

H3 o HI o RAD(P) 


( true < s.wait > -i 3 ac' • RAl o RA2 o PBMH(P() \ 

- 

s G ac' <3 s.wait > RAl o RA2 o PBMH(Pj) / 


Proof. 


H3 o HI o RAD(P) 


/ 


true < s.wait > 


= H3 


b 


RAl o RA2 o PBMH(Pj) \ 


{Theorem IT. 6 .3. 11} 


\ s G ac' <3 s.wait > RAl o RA2 o PBMH(P^) / 

{Theorems IT. C. 1.51 and IT.H.2. II and Lemma IL.A.2.151 } 

( -i 3 ac' • -i (true <\ s.wait > -> RAl o RA2 o PBMH(Pj)) ^ 
b 

^ s G ac' < s.wait > RAl o RA2 o PBMH(Pj) J 

{Predicate calculus and property of conditional} 


( -i 3 ad • -i s.wait A RAl o RA2 o PBMH(Pj) ^ 
b 


{Predicate calculus} 


\ s G ac' <\ s.wait > RAl o RA2 o PBMH(Pj) J 

( -i s.wait => 3 ac' • RAl o RA2 o PBMH(Py) ^ 

b 

^ s G ac' < s.wait > RAl o RA2 o PBMH(Pj) ) 

{Predicate calculus and property of conditional} 


( true < s.wait > -> 3 ac' • RAl o RA2 o PBMH(Pj) ^ 
b 

^ s G ac' < s.wait > RAl o RA2 o PBMH(Pj) J 
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□ 


Lemma L.H.2.2 HI o RA o A (true b Pj ) = AP ( true b Pj) 


Proof. 


HI o RA o A (true b Pj) 

= AP(-< RA1 o PBMH (false) b Pj 
= AP(-i false b Pj) 

= AP (true b Pj) 


{Theorem IT. 5.2. 20l and Lemma IL.H. 2.41} 
{Lemmas IL.E.4.21 and IL.G.1.91} 
{Predicate calculus} 


Lemma L.H.2.3 


H3 o HI o RA o A (true b Pj 


□ 


(true b s E ac' <1 s.wait t> RAl o RA2 o PBMH(b!)) 


Proof. 


H3 o HI o RA o A (true b Pj) {Theorem IT. 5.2.27)1 and Lemma lL.H.2.11} 

( -i s.wait => -i 3 ac' • RAl o RA2 o PBMH(/afee) ^ 

= b 

y s E ac' < s.wait > RAl o RA 2 o PBMH(Pj) J 


/ -i s.wait => -i 3 ac' • false 
= b 

\ s E ac' < s.wait > RAl o RA2 o PBMH(P}) J 
= (true b s E ac' <3 s.wait > RAl o RA2 o PBMH(F|)) 


{Lemmas L.E.4.2 L.G.1.9 and L.G.2.4 } 
\ 

{Predicate calculus} 


□ 


Lemma L.H.2.4 HI o RAD(P) = AP(^ RAl o PBMH(Pj) b Pj) 


Proof. 


HI o RAD(P) 


{Theorem IT. 6.3. 11} 
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f true < s.wait > -> RAl o RA2 o PBMH(P!) \ 


h 


^ s £ ad < s.wait > RAl o RA2 o PBMH(Pj) ) 
( RAl o RA2 o PBMH (pj) \ 


= RA3ap 


h 


\ RAl o RA2 o PBMH(Pj) 

/ RA2 o RAl o PBMH (pf) \ 
= RA3 A p j h 

V RA2 o RAl o PBMH(Pj) ) 
( RA2 o RAl o PBMH (P f f ) \ 


— RA3 A p 


h 


\ RA2(PBMH(Pj) A ac' ± 0) / 

( RAl o PBMH(Pj) \ 


— RA3ap ° RA2 


= RA3ap ° RA2 


h 


\ PBMHfP*) A ac' ± 0 / 

/ . PBMH o RAl o PBMH(P/) \ 


h 


\ PBMH(Pr) A ac' ± 




= RA3 ap o RA2 o A(-< RAl o PBMH(P/) h Pj) 
= AP(-< RAl o PBMH(Pf) h Pj) 


Lemma L.H.2.5 Provided P is a reactive angelic process, 
H1(P) = AP(-i RAl (Pj) h Pj) 


Proof. 

H1(P) {Assumption: 

= HI o RAD(P) 

= AP(-i RAl o PBMH (Pj) h Pj) 

= AP(-i RAl(PBMH(P)j) h Pj) 

{Assumption: P is RAD-healthy an 

= AP(-i RAl(Pf) h Pj) 


{Lemma IL.H.l.ll} 


{Theorem IT. 5.2.101 } 


{Lemma IL.G.2.91} 


{Lemma IL.G.2.151 } 


{Theorem IT. 5.2. 51} 


{Dehnition of A} 
{Lemma IL.H.l.ill} 


□ 


P is RAD-healthy} 
{Lemma IL.H.2.11} 
{Lemma IL.E.5.11} 

1 Theorem T.5.2.21} 
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□ 


H.2.2 From AP to RAD 

Theorem T.6.3.2 RAl o AP(P) = RA o A(-> Pj h Pj) 


Proof. 


RAl o AP(P) 


/ true < s.wait > -> RA2 o PBMH(F| 


= RAl 


\ 


h 


\ s G ac' <3 s.wait > RA2 o RAl o PBMH(Pf) ) 


( RA2 o PBMH(P( 


= RAlo RA3 


\ 


h 


\ RA2 o RAl o PBMH(Pr) / 


/ -i PBMH(P( 


= RAlo RA3o RA2 


\ 


h 


\ RAl o PBMH(Pj) 


{Theorem IT. 6.2. 91} 
(Lemma IL.G.4.11} 

(Lemma IL.G.2.151 } 


/ PBMH(P( 


= RA3o RA2o RAl 


h 


(Theorems IT. 5. 2.101 and IT. 5.2. 161 } 

\ 

(Lemma IL.G. 1.2(11 } 


\ RAl o PBMH (Pj) 

= RA3 o RA2 o RAl(-i PBMH(P/) h PBMH(Pj)) 

= RA3 o RA2 o RAl o PBMH(-i P f f h P) t 


= RA o PBMH(-< P f f h 


f ' 1 


(Lemma IL.1.2.21} 
(Definition of RA} 
(Theorem IT. G. 1.61} 


= RA o A(-< P f f h P}) 


□ 


H.2.3 Galois Connection and Isomorphism 
Theorem T.6.3.3 RAl o HI o RAD(P) = RAD(P) 

Proof. 

RAl o HI o RAD(P) (Lemma IOTP } 

= RAl o AP(^ RAl o PBMH(P/) h Pj) 

(Theorem IT.6.3. 21 and Lemmas IL.A.2.51 and IL.A.2.61} 
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{Theorem IT. G. 1.61} 
{Lemma IL.4.2.21} 
{Theorem IT. 5.2. 51} 
{Definition of RA} 


= RA o A(-i RA1 o PBMH(Pj) h Pj) 

= RA o PBMH(-> RA1 o PBMH (Pj) h Pj) 

= RA(^ PBMH o RAl o PBMH(fiJ) h PBMH (Pj)) 

= RA(^ RAl o PBMH (Pj) h PBMH(Pj)) 

= RA3 o RA2 o RAl(-i RAl o PBMH(P/) h PBMH(Pj)) {Lemma OTL23| 

{Definition of RA} 
{Lemma IL.1.2.21} 
{Theorem IT. G. 1.61} 
{Theorem IT. 5.2.201 } 


= RA3 o RA2 o RA1( 


RA(-< PBMH(P/) h PBMH (Pj)) 
RA o PBMH(-i Pj h Pf) 

RA o At—, p/ i— 

RAD (P) 


PBMH(Pj) h PBMH(Pj)) 


a(- p; h pf, 


□ 


Theorem T.6.3.4 HI o RAl o AP(P) □ AP(P) 


Proof. 


HI o RAl o AP (P) {Theorem IT. 6.3. 21 } 

= HI o RA o A(-< Pj h Pj) {Theorem IT.5.2.2~0l and Lemma IL.H.2.41} 

= AP(^ RAl o PBMH(Pj) h Pj) 


{Lemma L.G.1.21 and strengthen precondition} 


□ AP(-< PBMH(P/) h Pj) {Lemma IL.H.1.111 1 

= RA3 A p o RA2 o A(-. PBMH(P/) h Pj) 


{Definition of A and Lemma IL.4.2.21 and Theorem IT. E.2. 11 } 
= RA3ap ° RA2 o A(-< Pj h Pj) {Lemma IL.H.l.lTI } 

= AP (P) 


□ 


Theorem T.6.3.5 HI o RAl o NDap ° AP(P) = NDap ° AP(P) 


Proof. 


HI o RAl o NDap ° AP(P) {Definition of NDap and Theorem T.6.2.10 } 

= HI o RAl (true h s E ac' < s.wait > RA2 o RAl o PBMH(P^)) 

{Lemma IL.H.2.61} 
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= (-1 RAl(-i true ) b RAl(s G ac' <3 s.wait > RA2 o RA1 o PBMH(ij))) 

{Predicate calculus and Lemma IL.G. 1.91} 

= (true b RAl(s G ac' <3 s.wait > RA2 o RA1 o PBMH(Pj))) 

{Lemma IL.G. 1.151 } 

= (true b RAl(s G ac') <3 s.wait > RAl o RA2 o RA1 o PBMH(Pj))) 

{Theorems IT.G.l.ll and IT. 5.2.101 } 


= (true b RAl(s G ac') <3 s.wait > RA2 o RAl o PBMH(b|))) 


{Definition of NDap and Theorem |T.6.2.10|} 


= ND ap ° AP(P) 


□ 


Theorem T.H.2.2 RAl o H3 o HI o RAD(P) C RAD(P) 


Proof. 


RAl o H3 

/ 

= RAl 

V 


/ 


= RAl 


= RAl 


= RAl 


o HI o RAD(P) {Lemma IL.H.2.11 } 

-i s.wait => -i 3 ac' • RAl o RA2 o PBMH(Pj) ^ 
b 

s G ac' <3 s.wait > RAl o RA2 o PBMH(Pj) ) 

{Predicate calculus} 

-i s.wait =$■ (-i s.wait A -> 3 ac' • RAl o RA2 o PBMH(Pj)) ^ 
b 

s G ac' <\ s.wait > RAl o RA2 o PBMH(P|) ) 

{Predicate calculus} 

s.wait V (-■ s.wait A 3 ac' • RAl o RA2 o PBMH(Pj)) ^ 
b 

s G ac' <3 s.wait > RAl o RA2 o PBMH(Pj) ) 

{Predicate calculus and definition of conditional} 

true <] s.wait t> -> 3 ac' • RAl o RA2 o PBMH(P^) ^ 
b 

s G ac' <3 s.wait > RAl o RA2 o PBMH(F|) ) 

{Lemma IL.G. 4. 11} 
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( 3 ad • RA1 o RA2 o PBMH (Pf) \ 


= RA1o RA3 


b 


/ 


\ RAl o RA2 o PBMH(P;) 

{RA1 and RA3 are monotonic, weaken precondition as (-> 3 ac! • P) 

( . RAl o RA2 o PBMH(P/) \ 


C RAlo RA3 


= RA3o RAl 


b 


{Theorem IT. 5.2. 161 } 


\ RAl o RA2 o PBMH(Pj) 

/ . RAl o RA2 o PBMH(Pj) \ 

b 

\ RAl o RA2 o PBMH(Pj) 


{Lemmas IL.G.1.2(11 and IL.G. 1.231 } 


= RA3 o RA1(^ RA2 o PBMH(Pf) b RA2 o PBMH(P))) 


= RA3 o RAl o RA2(^ PBMH(Pf) b PBMH (Pi)) 


= RA3 o RAl o RA2 o PBMH( 
= RA o PBMH(-> P f f b Pf) 

= RA o A(- 
= RAD(P) 


p{ b pj 


{Lemma IL.G. 2. 151 } 
{Lemma IL.4.2.21} 
{Definition of RA} 
{Theorem IT. G. 1.61} 


P f h P f) 


{Definition of RAD (Theorem T.5.2.20)} 


□ 


Theorem T.H.2.3 H3 o HI o RAl o AP(P) jZ AP(P) 


Proof. 


H 3 o HI o RAl o AP(P) 

= H3 o HI o RA o A(-i P f f b Pf 

= H 3 o HI o RAD(P) 


{Theorem IT. 6.3. 21} 
{Theorem IT.5.2.201 } 
{Lemma IL.H.2.11} 


( -i s.wait =£- -i 3 ac' • RAl o RA2 o PBMH(Pj) ^ 
b 

^ s E ac' < s.wait > RAl o RA2 o PBMH(Pj) ) 

( -i s.wait => 1 3 ac' • RA2 o PBMH (Pf) \ 

b 


{Lemma IL.G.4.101 } 


\ s E ac' <\ s.wait > RAl o RA2 o PBMH(P}) ) 

{Weaken precondition as (-> 3 ad • P) =>■ -> P} 
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c 


/ -i s.wait =>- -i RA2 o PBMH(Pj) ^ 

P 

^ s E ac' < s.wait > RA1 o RA2 o PBMH(Pj) / 

( -i s.wait (-i s.wait A -> RA2 o PBMH(Pj)) ^ 
P 


{Predicate calculus} 


V 

/ 


s E ac' <3 s.wait > RA1 o RA2 o PBMH(P}) / 

{Predicate calculus and definition of conditional} 
true < s.wait > -> RA2 o PBMH(Pj) \ 


P 


{Theorem IT. 6.2. 91} 


\ s E ac' <3 s.wait > RA1 o RA2 o PBMH(Pj) / 
= AP(P) 


□ 


Theorem T.H.2.4 

RA1 o H3 o HI o RA o A (true P Pj) = RA o A (true P Pj) 


Proof. 


= RA1 o H3 o HI o RA o A (true P Pj) {Lemma IL.H.2.31 } 

( true ^ 

P 

s E ac' <\ s.wait > RA1 o RA2 o PBMH(P|) J 

{Predicate calculus and property of conditional} 

/ true < s.wait > true \ 

= RA1 P {Lemma IL.G.4.11 } 

y s E ac' < s.wait > RA1 o RA2 o PBMH(P|) J 


= RA1 o RA3 (true P RAl o RA2 o PBMH(Pj)) 
= RA3 o RAl (true P RAl o RA2 o PBMH(Pj)) 

= RA3 o RAl(inie P RA2 o PBMH(Pf)) 


{Theorem IT. 5.2. 161 } 
{Lemma IL.G. 1.2(11 } 


{Predicate calculus and Lemma IL.G. 2. 41 } 


= RA3 o RAl(-i RA2 (false) P RA2 o PBMH(Pj)) 
= RA3 o RAl o RA2(h?ie P PBMH(Pf))) 


{Lemma IL.G. 2. 151 } 


{Predicate calculus and Lemma IL.E.4.21 } 


= RA3 o RAl o RA2(^ PBMH(Jake) P PBMH(Pf)) 


{Lemma IL.4.2.21} 
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= RA3 o RA1 o RA2 o PBMH(true b Pj) 

{Definition of RA and Theorem IT. G. 1.61} 

= RA o A (true b Pj) 

□ 

Theorem T.H.2.5 Provided P is AP -healthy, 

H3 o HI o RAl o ND ap (P) = ND ap (P) 


Proof. 


H3 o HI o RAl o ND ap (P) 

= H3 o HI o RA1(P U Choice n) 

{Assumption: P is AP-healthy 

= H3 o HI o RAl (true b s E ac' < s.wait > RA2 o RAl 


{Definition of ND AP } 


and Theorem T.6.2.10 } 
o PBMH(Pj)) 


= H3 o HI o RAl o AP(fnie b Pj) 

= H3 o HI o RA o A (true b Pj) 

= (true b s G ac <1 s.wait > RAl o RA2 o PBMH(Pj)) 

{Assumption: P is AP-healthy 


= Choice n LI P 


{Lemma IL.H.1.91} 
{Theorem IT. 6.3. 21} 
{Lemma IL.H.2.31} 


and Theorem T.6.2.10 } 
{Definition of ND AP } 


= ND ap (P) 


□ 


Lemma L.H.2.6 HI o RA1(P b Q) = (-. RA1(^ P) b RA1(Q)) 


Proof. 


HI o RAl(Pb Q) 

= HI o RAl((ofc A P) => (Q A ok!)) 

= HI o RAl(-i ok V — i P V ( Q A ok 1 )) 

= Hl(RAl(-i ok) V RAl(-i P) V RA1(<5 A ok')) 

= Hl(RAl(-i ok) V RAl(-> P) V (RAl(g) A ok!)) 


{Definition of design} 
{Predicate calculus} 
{Theorem IT. 5.2. 31} 
{Lemma IL.G.1.161 } 
{Lemma IL.G. 1.191 } 


= Hl((-< ok A RAl (true)) V RA1(^ P) V (RA1(Q) A ok!)) 


{Definition of Hi} 
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= ok => ((-i ok A RA1 (true)) V RAl(-> P ) V (RA1(Q) A ok')) 

{Predicate calculus} 

= ok = 3 - (RAl(-> P) V (RA1(<5) A ok')) {Predicate calculus} 

— (ok A -■ RAl(-i P)) =>• (RA1(<5) A ok') {Definition of design} 

= (-. RAl(-i P) h RA1(Q)) 


□ 


Lemma L.H.2.7 

RA o A (true h s G ac! < s.wait > RA2 o RA1 o PBMH(Q)) 
RA o A (true h Q) 


Proof. 


RA o A (true h s G ac' <4 s.wait > RA2 o RAl o PBMH(Q)) 


= RA 


{Theorem IT. G. 1.61} 

= RA o PBMH(P h s G ac' <3 s.wait > RA2 o RAl o PBMH( Q)) 

{Lemma IL.4.2.21} 

/ PBMH(n true) \ 

h 

y PBMH(s G ac' <4 s.wait > RA2 o RAl o PBMH(<J)) ) 

{Predicate calculus and Lemma IL.E.4.21 } 

/ true \ 

h 

y PBMH(s G ac' <4 s.wait > RA2 o RAl o PBMH(Q)) J 

{Lemmas IL.E.4.31 and IL.1A4.9I } 

/ true \ 

h 

\ s E ac' < s.wait > PBMH o RA2 o RAl o PBMH(Q) J 

{Theorems IT. 5.2. 51 and IT. 5.2. Ill } 

/ true \ 


= RA 


= RA 


= RA 


h 


{Definition of RA} 


\ s G ac' <4 s.wait > RA2 o RAl o PBMH(Q) J 
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= RA3o RA2o RA1 


= RA3o RA2o RA1 


= RA3o RA2o RA1 


= RA3o RA2o RA1 


= RA3o RA1o RA2 


= RA3o RA1o RA2 


= RA3o RA1o RA2 


= RA2o RA3o RA1 


= RA2o RA3o RA1 


/ true \ 

h 

\ s E ac' <3 s.wait > RA2 o RA1 o PBMH( Q) J 

{Theorem IT. 5. 2.101 } 

/ true \ 

h 

\ s E ac' < s.wait > RA1 o RA2 o PBMH(Q) J 

{Lemmas IL.G. 1.141 and IL.G. 1.151 } 

/ true \ 

h 

\ RAl(s G ac' <3 s.wait > RA2 o PBMH( Q)) J 

{Lemma IL.G. 1.201 } 

/ true \ 

h 

\ s E ac' <3 s.wait > RA2 o PBMH( Q) ) 

{Theorem IT. 5.2.101 } 

/ true \ 

h 

\ s E ac' <3 s.wait > RA2 o PBMH( Q) ) 

{Lemmas IL.G. 2. 31 and IL.G. 2. 61} 

/ true \ 

h 

\ RA2(s G ac' <3 s.wait > PBMH( Q)) J 

{Lemma IL.G. 2. 161 } 

/ true \ 

h 

\ s E ac' < s.wait > PBMH(Q) / 

{Theorems IT. 5.2.101 and IT. 5.2.171 } 

/ true \ 

h 

y s E ac' <3 s.wait \> PBMH (Q) J 

{Property of conditional} 


/ true <3 s.wait > true \ 

h 

y s E ac' <3 s.wait > PBMH(Q) J 


{Lemma IL.G. 4.11} 
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= RA2 o RA3 o RA1 o RA3 (true b PBMH( Q)) {Theorem IT. 5.2. 161 } 

= RA2o RA3o RA3oRA1 (i true b PBMH( Q)) {Theorem IT.G.3.51} 

= RA2 o RA3 o RA1 (true b PBMH(Q)) {Definition of RA} 

= RA (true b PBMH(Q)) {Predicate calculus and Lemma IL.E.4.21 } 

= RA(-i PBMH(/afee) b PBMH( Q)) 

{Predicate calculus and Lemma [L. 4.2. 21} 
= RA o PBMH(t™e b Q) {Theorem IT.G.1.61} 

= RA o A (true b Q) 


□ 


H.3 Operators 


H.3.1 Angelic Choice 


Closure 


Theorem T.6.4.1 Provided P and Q are AP -healthy, 
AP(P U A p Q) = P U A p Q 


Proof. 

PUQ 

= AP(P) U AP(Q) 


{Assumption: P and Q are AP-healthy} 

{Lemma IL.H.3.11} 
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( ( true 

<s.wait > 


\ 


\ 


\ RA2 o PBMH(RA2 o PBMH(P/) A RA2 o PBMH(ffi)) / 


h 


/ s G ac' 
<s.wait> 


\ 


( ( RA2 o PBMH(Pr) 


RA2 o RAl o PBMH 


\ 


A 


\ 


\ RA2 O RAl O PBMH (Qj) / 


V 


/ RA2 o RAl o PBMH(PJ) \ 


A 


\ RA2 o PBMH(Qf) 


V 


/ RA2 o RAl o PBMH(FJ) \ 


V 


A 


/ 






\ RA2 o RAl o PBMH {Qj) 

{Lemma IL.H.l.lOl and Theorem IT. H. 1.21} 


= AP 


RA2 o PBMH(P/) \ 

true <3 s.wait > -> RA2 o PBMH | A 

RA2 o PBMH (Q f f ) j 
h 

s G ac' 

<s.wait> 


\ 


( ( RA2 o PBMH(Pf) 


RA2 o RAl o PBMH 


\ 


A 


\ 


RA2 o RAl o PBMH( Qj) / 


V 


/ RA2 o RAl o PBMH(P|) \ 


A 


\ RA2 o PBMH {Q f f ) 


V 


/ RA2 o RAl o PBMH(P}) \ 


A 


/ 


/ 


= AP(AP(P) U AP(Q)) 


\ RA2 o RAl o PBMH( Qj) 

{Lemma IL.H.3.11} 

(Assumption: P and Q are AP-healthy} 
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= AP(P U Q) 


□ 


Theorem T.6.4.2 Provided P and Q are ND A p -healthy, 


NDap(P Uap Q) — P Uap Q 


Proof. 


ND A p(P U A p Q) 

{Definition of ND A p} 

= Choice ap Uap (P U A p Q) 

{Definition of Uap} 

= Choice ap A (P A Q) 

{Associativity of conjunction} 

= Choice ap A P A Q 

{Predicate calculus} 

= (Choice ap A P) A (Choice ap A Q) 

{Definition of U A p} 

= (Choice ap Uap P) U A p (Choice ap Uap Q) 

{Definition of ND A p} 

= NDap(-P) U A p ND A p(<5) {Assumption: 

= P U A p Q 

P and Q are NDAp-healthy} 


□ 


Lemma L.H.3.1 


AP(P) U AP(Q) 
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f f true \ 

<s.wait> 

\ RA2 o PBMH(RA2 o PBMH(P/) A RA2 o PBMH (($)) ) 
h 


\ 


V 


/ s E ad 
<s.wait> 


( 


RA2 o RA1 o PBMH 


V 


V 


/ RA2 O PBMH (pf) \ 

A 

\ RA2 o RA1 o PBMH(Qj) / 

V 

/ RA2 o RA1 o PBMH(P)) \ 

A 

y RA2 o PBMH(Qj) / 

V 

/ RA2 o RA1 o PBMH(Pj) \ 

A 

\ RA2 o RA1 o PBMH(Qj) 


\ 


\ 


/ / 


Proof. 


= AP(P) U AP(<5) 


{Lemma IL.H.l.lOl } 


/ 


/ true < s.wait > -> RA2 o PBMH(Fr 


\ 


h 


\ s G ac' <3 s.wait > RA2 o RA1 o PBMH(Lf) ) 


U 


/ true < s.wait > -> RA2 o PBMH(Q{) 


\ 


h 


\ s E ac' < s.wait > RA2 o RA1 o PBMH( Qj) ) 


\ 


/ 


{Conjunction of designs (Lemma L.A.2.10)} 
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/ / true <3 s.wait \> -> RA2 o PBMH(P|) \ 


V 


\ 


\ true <3 s.wait \> -> RA2 o PBMH(($) / 


h 


V 


/ -i (true <3 s.wait > -> RA2 o PBMH(P()) \ 


A 


\ 


y s G ac! <3 s.wait > RA2 o RA1 o PBMH(<5j) / 


V 


G ac' <3 s.wait > RA2 o RA1 o PBMH(Pr) \ 


A 


(true <3 s.wait t> -> RA2 o PBMH( Ql)) ) 


V 


/ s G ac' <3 s.wait > RA2 o RA1 o PBMH(P|) \ 


V 


A 


\ s G ac' <3 s.wait > RA2 o RA1 o PBMH(Qj) / 


/ 


/ 


{Property of conditional (Lemma LA.1.3) and predicate calculus} 
( true <3 s.wait \> (-> RA2 o PBMH(Pj) V -> RA2 o PBMH( Qj)) \ 


h 


/ / (false <3 s.wait > RA2 o PBMH(P^)) 


\ 


A 


\ 


G ac 1 <3 s.wait > RA2 o RA1 o PBMH( Ql) ) 


V 


/ s G ac' <3 s.wait > RA2 o RA1 o PBMH(P i ) \ 


A 


\ (false <3 s.wait > RA2 o PBMH(d)) 


/ 


V 


/ s G ac' <3 s.wait > RA2 o RA1 o PBMH(Lf) \ 


A 


/ 


/ 


y s G sc' <1 s.wait D> RA2 o RA1 o PBMH(Qj) y 

{Property of conditional and predicate calculus} 
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f true <3 s.wait > (-> RA2 o PBMH(P^) V -> RA2 o PBMH(^)) ^ 
h 

( 


j RA2 o PBMH(P( 


false <3 s.wait \> 


V 


false <3 s.wait > 


V 


\ 


A 




V RA2 O RA1 O PBMH( Qj) 

( RA2 o RAl o PBMH(Pj) \ 

A 

V RA2 o PBMH(Qf) 


( RA2 o RAl o PBMH(Pr) \ 


s G ac! <3 s.wait > 


V 


A 






\ RA2 o RAl o PBMH(Qj) 

{Property of conditional and predicate calculus} 

( true <3 s.wait > -> (RA2 o PBMH(Pj) A RA2 o PBMH(Q^)) ^ 


h 


/ / RA2 o PBMH(P() 


s G ac' <3 s.wait > 


\ 


A 


\ 


\ RA2 o RAl o PBMH( Qj) / 


V 


/ RA2 o RAl o PBMH(P}) \ 


A 


\ RA2 o PBMH(^) 


V 


/ RA2 o RAl o PBMH(P}) \ 


A 


\ RA2 O RAl O PBMH( Qj) / 






{Theorem IT.5.2.101 } 


(Lemmas L.G.1.14, L.G.1.35 and L.G.1.36 and predicate calculus} 
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/ true < s.wait > -> (RA2 o PBMH(P() A RA2 o PBMH(Q{)) \ 


h 


/ s E ad 
<s.wait> 


\ 


( 


\ 


( 


\ 


/ RA2 o PBMH(P{ 


\ 


A 


\ 


\ RA2 o RAl o PBMH(QJ) 


M 


RA2 o RAl o PBMH(Pr) \ 


A 


RA2 o PBMH(Q{ 


V 


( RA2 o RAl o PBMH(PJ) \ 


V 


A 


\ 


A RAl (true) 


/ 


/ 






\ RA2 o RAl o PBMH(<5j) 

{Theorems IT. 5.2. 61 to IT. 0.2.11} 

( true < s.wait > -> RA2(RA2 o PBMH(Pj) A RA2 o PBMH( Q f f )) \ 


h 


/ s E ad 
<s.wait> 


\ 


( 


( 


RA2 


( RA2 o PBMH(P| 


\ 


A 


\ 


\ RA2 o RAl o PBMH( Qj) / 


V 


( RA2 o RAl o PBMH(P}) \ 


A 


V RA2 O PBMH(Qf) 


V 


( RA2 o RAl o PBMH(P|) \ 


A 


\ RA2 O RAl O PBMH( Qj) 


\ 


A RAl (trite) 


/ 


/ 


7 




{Lemmas IL.G.l.lOl and IL. 0.1.331 } 
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( true <1 s.wait > -< RA2(RA2 o PBMH (P f f ) A RA2 o PBMH( Q f f )) \ 


h 


s G ac' < s.wait > RA2 o RAl 


V 

/ / true 

< s.wait > 


/ RA2 o PBMH(P| 


\ 


A 




V RA2 O RAl O PBMH( Qj) / 


V 


/ RA2 o RAl o PBMH(Pr) \ 


A 


\ RA2 o PBMH 


V 


/ RA2 o RAl o PBMH(F|) \ 


V 


A 


\ RA2 O RAl O PBMH(Qj) / 






{Theorems |T.E.2.2| |T.E.3.1[ |T.5.2.5| and |T.5.2.11fr 

\ \ 


\ RA2 o PBMH(RA2 o PBMH(Pf) A RA2 o PBMH (Qj)) / 


h 


/ s G ac' 
<s.wait> 


\ 


( ( RA2 o PBMH(Pf) 


A 


RA2 o RAl o PBMH 


\ RA2 o RAl o PBMH(0) / 


V 


( RA2 o RAl o PBMH(Pr) \ 


A 


V RA2 O PBMH(Q| 


V 


( RA2 O RAl O PBMH(FJ) \ 


A 


\ RA2 O RAl O PBMH(<2J) 




n 
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Linking 

Theorem T.6.4.3 Provided P and Q are RAD -healthy, 


RA1(H1(P) U AP H1(Q)) = P U RAD Q 


Proof. 


RA1(H1(P) U Hl(<5)) 

= RA1(H1(P) A H1(Q)) 

= RA1 o H1(P) A RA1 o H1(Q) {Assumption: 

= RA1 o HI o RAD(P) A RA1 o HI o RAD (Q) 

= RAD(P) A RAD(<5) {Assumption: 

= PAQ 
= PUQ 


{Definition of U} 
{Theorem IT. 5.2. 21} 
P and Q are RAD-healthy} 
{Theorem IT. 6.3. 31} 
P and Q are RAD-healthy} 
{Definition of U} 


□ 


Theorem T.6.4.4 Provided P and Q are AP -healthy. 


HlfRAlfP) Ur A d RA1 Q □ P U A p Q 


Proof. 

H1(RA1(P) URAl(Q)) 

= H1(RA1(P) A RA1(Q)) 

= HI o RA1(P) A HI o RA1(Q) 

= HI o RA1 o AP(P) A HI o RA1 

□ AP(P) A AP(Q) 

= P A Q 
= PUQ 


{Definition of U} 
{Lemma IL.A.2.21} 
{Assumption: P and Q are AP-healthy} 
AP( Q) {Theorem IT. 6.3. 41} 

{Assumption: P and Q are AP-healthy} 

{Definition of U} 


□ 


H.3.2 Demonic Choice 

Closure 

Theorem T.6.4.5 Provided P and Q are AP-healthy, AP(Pn Q) — P n Q. 
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Proof. 

AP(Pn Q) 

= AP(AP(P) n AP(Q)) 

= AP o AP(-< P f f A Qj h P) V Qj) 
= AP(-< P f f A Qj h Pj V g}) 

= ap(p) n AP(g) 

= Pn Q 


{Assumption: P and Q are AP-healthy} 

{Lemma IL.H.3.21} 
{Theorem IT. H. 1.21} 
{Lemma IL.H.3.21} 
{Assumption: P and Q are AP-healthy} 


□ 


Theorem T.6.4.6 Provided P and Q are NDap -healthy, 
ND AP (P 

n A p Q) = P n AP Q 


Proof. 


ND A p(P n A p Q) 

= ChoiceAp Ll A p (P n AP g) 

= Choice ap A (P V Q) 

= (Choice ap AP) V (Choice ap A Q) 
= (Choice a p U A p P) n AP (Choice ap 
= ND A p(P) n AP ND AP (g) 

= P n AP Q 


{Definition of ND A p} 
{Definition of l_l A p and n A p} 
{Predicate calculus} 
{Definition of l_l A p and l~1 A p} 
Jap Q) {Definition of ND A p} 

{Assumption: P and Q are ND A p-healthy} 


□ 


Lemma L.H.3.2 

AP (P) n AP(g) = AP(-< P f f A Q f f h Pj V Qj) 


Proof. 


ap(p) n AP(g) 


{Lemma IL.H.l.lOl } 
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/ / true <3 s.wait \> -> RA2 o PBMH(P|) 




h 


\ s G ac' < s.wait t> RA2 o RA1 o PBMH(Pj) ) 


n 


/ true < s.wait > -> RA2 o PBMH(Qf 


\ 


h 


s 6 ad < s.wait > RA2 o RA1 o PBMH( Qj) ) 


( true <3 s.wait > -> RA2 o PBMH(Pj) ^ 
A 


/ 

{Disjunction of designs} 

\ 


\ true <3 s.wait \> -> RA2 o PBMH(Q|) ) 


h 


/ s G ac’ <3 s.wait > RA2 o RA1 o PBMH(P|) \ 


V 


/ 


s £ ac' <3 s.wait > RA2 o RA1 o PBMH( (Jj) / 

{Property of conditional and predicate calculus} 


/ RA2 o PBMH(Pf) \ 


true <] s.wait > 

h 


A 


\ 


V RA2 O PBMH(Q|) / 


/ RA2 o RA1 o PBMH(P}) \ 


s G ac' <3 s.wait > 


V 


true <3 s.wait > -i 

h 

s 6 ac' < s.wait > 


V RA2 O RAl O PBMH(<2{) / 


/ RA2 o PBMH(Pj) \ 

V 

V RA2 O PBMH {Q f A ) 


( RA2 o RAl o PBMH(P') \ 

V 

^ RA2 o RAl o PBMH( Qj) 


{Predicate calculus} 


{Theorem IT. 5.2. 71} 
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( true < s.wait > - ' RA2(PBMH (Pj) V PBMH(Qf)) 
h 

/ RAl o PBMH(Pj) \ 

s G ac! < s.wait > RA2 V 

\ V RAl O PBMH( Qj) 


\ 




{Theorem IT. 5.2. 31} 

( true < s.wait > -> RA2(PBMH(Pj) V PBMH( Qj)) ^ 

h 

^ s G ac' <3 s.wait > RA2 o RAl(PBMH(Pj) V PBMH(Qj)) / 


(Theorem IT. E.2. 21} 


( true < s.wait \> -> RA2 o PBMH(P/ V Qj) \ 

= h 

^ s G ac' <3 s.wait > RA2 o RAl o PBMH(Pj V Qj) J 
= AP(-i (Pj V Qj) b Pj V Qj) 

= AP(-< Pj A Qj h Pj V Q|f) 


(Lemma IL.H.l.lOl } 


(Predicate calculus} 


□ 


Linking 

Theorem T.6.4.7 Provided P and Q RAD -healthy, 

RA1(H1(P) n AP H1(Q)) = P n RAD Q 

Proof. 

RA1(H1(P) n AP Hl(<5)) 

= RA1(H1(P) V H1(Q)) 

= RAl o H1(P) V RAl o H1(Q) (Assumption 

= RAl o HI o RAD(P) V RAl o HI o RAD(<5) 

= RAD(P) V RAD(<5) (Assumption 

= py Q 
= P n RA D Q 

n 


(Definition of n A p} 
(Theorem IT. 5.2. 31} 
: P and Q are RAD-healthy} 
(Theorem IT. 6.3. 31} 
: P and Q are RAD-healthy} 
(Definition of n RA p>} 
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Theorem T.6.4.8 Provided P and Q are AP -healthy, 
HI (RAl (P) flRAD R-A1(<5)) U P IHap Q 


Proof. 

H1(RA1(P) n RA D RA1(Q)) {Definition of IIrad} 

= H1(RA1(P) V RA1(Q)) {Lemma iLAUOT l 

= HI o RA1(P) V HI o RA1(Q) {Assumption: P and Q are AP-healthy} 
= HI o RA1 o AP(P) V HI o RA1 o AP(Q) {Theorem [TTUO l 

□ AP(P) V AP(Q) {Assumption: P and Q are AP-healthy} 

= P V Q {Definition of IHap} 

= p n A p Q 


□ 


H.3.3 Divergence: Chaos and Chaos of CSP 

Theorem T.6.4.9 Provided P is AP-healthy, P Uap ChaosAP = P 


Proof. 


P Uap Chaos 


Jap 

/ 


AP 


{Assumption: P is AP-healthy and Theorem T.6.2.9} 


/ true < s.wait t> -i RA2 o PBMH(P 


/' 


\ 


h 


\ 


\ (s G ad <3 s.wait > RA2 o RAl o PBMH(P})) ) 
Uap 

\ ChaosAP 


/ 


{Definition of ChaosAP (Lemma L.6.4.1)} 


/ / true < s.wait \> -i RA2 o PBMH(F 


A 


\ 


h 




\ (s e ac' < s.wait > RA2 o RAl o PBMH(P})) ) 

p 

\ ( s.wait h s 6 ac') 


7 


{Definition of Uap and conjunction of designs} 
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( 


\ 

( 


\ 

( 


\ 

( 


\ 

/ 

V 

= P 


f true < s.wait > -i RA2 o PBMH(f[) N ' 
V 

\ s.wait ) 

b 


\ 


( (true < s.wait > -> RA2 o PBMH(.Pj)) ^ 

^ (s G ad < s.wait > RA2 o RAl o PBMH(Pj)) ) 


A 

s.wait => s E ad ) 

{Definition of conditional and predicate calculus} 


true <\ s.wait \> -> RA2 o PBMH(Pj) ^ 

b 

( (true < s.wait > -> RA2 o PBMH (Pj)) \ 

=> 

\ (s E ad < s.wait > RA2 o RAl o PBMH(Pj)) ) 

A 

s.wait => s E ad ) 

{Definition of design and predicate calculus} 

true <\ s.wait \> -> RA2 o PBMH(Pj) ^ 

b 


(s E ad < s.wait > RA2 o RAl o PBMH(Pj)) 

A 

s.wait => s E ad ) 

true < s.wait \> -> RA2 o PBMH(Pj) 
b 


{Predicate calculus} 


\ 


(s G ad A s.wait =>■ s E ad) \ 

<s.wait > 

(RA2 o RAl o PBMH(P}) A s.wait => s E ad) ) 


{Predicate calculus} 


true < s.wait > -> RA2 o PBMH (Pf) \ 

b 


s E ad <3 s.wait > RA2 o RAl o PBMH(P}) / 


{Assumption: P is AP-healthy and Theorem T.6.2.9} 


□ 
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Theorem T.6.4.10 Hl(C7iaosRAx>) = ChaosCSPAP 


Proof. 

HI (C7i<ms'RAD) {Definition of CVmo.srad} 

= HI o RA o A (false b true ) {Theorem IT. 6. 3.11 } 

true <3 s.wait > -> RAl o RA2 o PBMH(fnxe)) ^ 

= | b {Lemma IL.E.4.11 } 


s £ ad <3 s.wait > RAl o RA2 o PBMH(frrte)) / 

/ in/e <3 s.wait > -> RAl o RA2 (true)) \ 
b 


{Lemma IL.G.2.21} 


{Predicate calculus} 

\ 


\ s £ ad <3 s.wait \> RAl o RA2( in/e)) / 

/ true < s.wait > -> RAl (true)) \ 
b 

\ s £ ac' <3 s.wait \> RAl(in/e)) / 

in/e <3 s.wait > -> RAl (true)) 
b 

(true <3 s.wait > -< RAl (inze)) A (s G ac' <3 s.wait > RAl (true)) ) 

{Property of conditional} 

/ true < s. wait > -> RAl (true)) \ 

b 

\ (true A s £ ac') <3 s.wait > (-> RAl(frae) A RAl(frae)) / 

{Predicate calculus} 

true < s. wait > -> RAl (true)) \ 

{Predicate calculus} 


b 

\ (s £ ac' <3 s.wait \> false) ) 

s.wait V (-■ s.wait A -i RAl (inze)) \ 
b 

(s.wait A s £ ac') ) 

= (s.wait V -i RAl (true) b s.wait A s £ ac') 


{Predicate calculus} 


{Definition of ChaosCSP^p and Lemma L.6.4.2 } 


= ChaosCSP 


AP 


□ 


Theorem T.6.4.11 RAl(ChaosCSPAp) = Chao ad 




















794 


APPENDIX H. ANGELIC PROCESSES 


Proof. 


RAl(ChaosCSP AP ) {Definition of Chaos AP } 

= RA1 o AP(^ RAl (true) b true ) {Theorem IT.6.3.21 } 

= RA o A(—i (—1 RA1 (true) b true)j b (-> RAl(frae) b true)j) 


= RA o A(-> RA1 (true)f b truef) 

= RA o A(-> RA1 (truef) b true /) 

= RA o A(-> RAl(fnie) b true) 

= RA o A(-i RA1 o PBMH(f rue) b true) 
= RA o A(-< true b true) 

= RA o A (false b true) 

= Chaos p ad 


{Lemma IL.A.2.161 } 
{Lemma IL.G.1.241 } 
{Substitution} 
{Lemma IL.E.4.51} 
{Lemma IL.G. 4. 151 } 
{Predicate calculus} 
{Definition of CTmosRAD} 


□ 


Theorem T.H.3.1 H3 o Hl(C7iaosRAD) = Chaos ap 


Proof. 


H3 o HI (G/iao.S r ad) {Definition of Chaos-R AP) } 

= H3 o HI o RA o A (false b true) {Theorem IT. 5.2.201 and Lemma IL.H.2.11} 

/ true < s.wait > -> 3 ac' • RA1 o RA2 o PBMH(true) \ 

= b 

^ s G ac' <3 s.wait > RA1 o RA2 o PBMH(frrte) / 

{Lemma IL.E.4.51} 


f true < s.wait > -> 3 ac' • RAl o RA2 (true) \ 
b 

\ s E ac' <1 s.wait > RAl o RA2 (true) ) 

f true < s.wait > -> 3 ac' • RAl (true) ^ 
b 

\ s E ac' < s.wait > RAl (true) ) 

f true < s.wait \> -i 3 ac' • 3 z • s.tr < z.tr A z E ac' \ 
b 

\ s E ac' < s.wait > RAl (true) ) 


{Lemma IL.G. 2. 41} 


{Lemma IL.G.l.lOl } 


{Predicate calculus} 
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/ true < s.wait > false \ 

= b 

\ s E ac' <3 s.wait > RAl(frwe) / 

{Definition of conditional and predicate calculus} 

= ( s.wait h s 6 ac' < s.wait > RAl(tnze)) 

{Definition of design and predicate calculus} 

= ( s.wait hs6 ac') {Definition of CTmosAp} 

= ChaosAP 


.□ 


Lemma L.6.4.1 ChaosAP = ( s.wait b s G ac') 


Proof. 


ChaosAP 

= AP (false b true ) 

/ true <\ s.wait > -> RA2 o PBMH(frrte) \ 

= b 

\ s E ac' < s.wait > RA2 o RAl o PBMH(frrte) / 

/ true < s.wait > -> RA2 (true) \ 

= b 


{Definition of ChaosAp} 
{Lemma IL.H.l.lOl } 

{Lemma IL.E.4.11} 


\ s E ac' < s.wait > RA2 o RAl o PBMH(frrte) ) 

and predicate calculus} 

/ true <\ s.wait > false \ 


{L 


emma 


L.G.2.4 


= b 

\ s E ac' < s.wait > RA2 o RAl o PBMH(frrte) / 

{Definition of conditional and predicate calculus} 

= ( s.wait b s E ac' < s.wait > RA2 o RAl o PBMH(frrte)) 

{Definition of design, predicate calculus and definition of conditional} 

= ( s.wait bs6 ac') 


□ 


Lemma L.6.4.2 ChaosCSPAP = ( s.wait V -i RAl(frae) b s.wait A s E ac') 
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Proof. 


ChaosCSPAP {Definition of ChaosCSP^p} 

= AP(-> RAl(trite) b true) {Lemma IL. H. 1.101 } 

( true < s.wait > -> RA2 o PBMH o RAl(frae) ^ 

= b 

^ s E ac! <3 s.wait > RA2 o RAl o PBMH( trite) J 

{Lemma IL.E.4. II and Theorem IT .5.2. 51} 

/ true <3 s.wait > -> RA2 o RAl (true) ^ 

= b 

\ s E ac' <3 s.wait > RA2 o RAl (trite) / 

/ true < s.wait > -> RAl o RA2( true) \ 

= b 

\ s E ac' <3 s.wait > RAl o RA2( true) J 

( true <3 s.wait > -> RAl(trae) \ 


{Theorem IT. 5. 2.101 } 


{Lemma IL.G.2.41} 


b 


{Property of designs} 

\ 


\ s E ac' < s.wait > RAl (true) J 

/ true <3 s.wait > -> RAl (true)) 
b 

\ (true <3 s.wait > -> RAl(frwe)) A (s G ac' < s.wait > RAl (trite)) / 

{Property of conditional} 

/ true < s. wait > -> RAl (true)) \ 

b 

\ (true A s E ac') <3 s.wait > (^ RAl(trite) A RAl(trite)) / 

{Predicate calculus} 

f true <] s.wait > -> RAl(trite)) \ 

b {Predicate calculus} 


\ (s e ac' <3 s.wait > false) J 

/ s.wait V (-■ s.wait A -> RAl(trite)) \ 

= b 

\ ( s.wait A s E ac') J 

= ( s.wait V -i RAl (true) b s.wait A s E ac') 


{Predicate calculus} 


□ 




























H.3. OPERATORS 


797 


H.3.4 Choice 

Properties 

Lemma L.6.4.3 AP (true b ad 0) = (true b s € ad < s.wait > RA1 (true)) 
Proof. 


AP (true b ad 0) 

( true <3 s.wait > -> RA2 o PBMH(/afee) ^ 

= b 

\ s E ad <] s.wait t> RA2 o RAl o PBMH(irwe) / 

/ true <3 s.wait > -i RA2 (false) \ 

= b 

\ s G ac' <3 s.wait > RA2 o RAl (true) ) 

( true <3 s.wait > -> RA2 (false) \ 

= b 

y s 6 ad <3 s.wait > RAl o RA2(b«e) / 

/ true <3 s.wait \> -i false \ 

= b 


{Lemma IL.H.3.31} 
{Lemma IL.E.4.51} 


{Theorem IT. 5. 2.101 } 


{Lemma IL.G.2.41} 


{Predicate calculus} 


\ s E ac' <3 s.wait > RAl (true) ) 

( true <] s.wait > true \ 

b 


{Property of conditional} 


\ s E ad <3 s.wait > RAl (true) / 

= (true b s G ad <3 s.wait > RAl (true)) 


□ 

Lemma L.H.3.3 

AP(trae b ac' 7 ^ 0) 

( true <3 s.wait t> -> RA2 o PBMH(Jalse) \ 

b 

y s G ac' <3 s.wait > RA2 o RAl o PBMH(fnie) / 

Proof. 


AP (true b ac' 7 ^ 0) 


{Lemma IL.H.l.lOl } 
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( true < s.wait > -> RA2 o PBMH(/a/se) ^ 

h 

^ s G ac' < s.wait \> RA2 o RA1 o PBMH(ac' 7 ^ 0) / 

( true < s.wait > -i RA 2 o PBMH(/aIse) ^ 

h 

^ s G ac' < s.wait > RA2 o RAl(ac' 7 ^ 0) / 

( true < s.wait > -> RA2 o PBMH(/ake) ^ 

h 

\ s G ac' < s.wait > RA2 o RA1 (true) / 

( true < s.wait > -> RA2 o PBMH(/a/se) ^ 

h 

^ s G ac' <] s.wait t> RA2 o RA1 o PBMH(trae) / 


{Lemma IL.E.4.41} 


{Lemma IL.G. 1.221 } 


{Lemma IL.E.4.11} 


□ 


Linking 

Theorem T.6.4.12 H1 ( Choice^An ) = Choice ap 
Proof. 

{Definition of CTjozccrad} 
{Lemma IL.H.2.21} 
{Definition of Choice ap} 


HI (C%ofce R ad) 

= HI o RA o A (true h ac' 7 ^ 0) 
= AP(frae h ac' 7 ^ 0) 

= Choice ap 




Theorem T.6.4.13 RA1 (Choice ap) = Choice^An 
Proof. 

RA 1 ( Choice ap ) {Definition of Choice ap } 

= RA1 o AP(fn/e b ac' 7 ^ 0) {Theorem IT. 6 .3. 21 } 

= RA o A(-i (true h ac' 7 ^ 0)^ h (true h ac' 7 ^ 0)}) {Lemma IL.A.2.161} 

= RA o A (truef h (ac' 7 ^ 0)/) {Substitution} 

= RA o A (true h ac' 7 ^ 0) {Definition of Choice^ ad} 

= 67/ozcc r ,ad 
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□ 


H.3.5 Stop 

Theorem T.6.4.14 Hl(StopnAD) = StopAP 
Proof. 

{Definition of S'^OjOrad} 
{Lemma IL.H.2.21} 
{Definition of StopAp} 


Kl(StopnAP)) 

= HI o RA o A (true h © y ac ,(y-tr = s.tr A y.wait )) 
= AP (true h (e y ,{y.tr = s.tr A y.wait )) 

= S^ap 


□ 


Theorem T.6.4.15 RAl(StopAp) = Stop^AP) 

Proof. 


RAl(StopAp) 

= RA1 o AP (true h (^f ac ,(y-tr = s.tr A y.wait )) 

^ -i (trite h (&f ac ,(y.tr = s.tr A y.wait))j ^ 


= RA o A 


h 


\ (true h (e ) y ac ,(y.tr = s.tr A y.wait)) j ) 
= RA o A (truef h ((e ) y ac ,(y.tr = s.tr A y.wait))f) 

= RA o A (true h (&f ,(y-tr = s.tr A y.wait )) 


— Stop-RAD 


{Definition of S'to^Ap} 
{Theorem IT. 6.3. 21} 

{Lemma IL.A.2.161 } 

{Substitution} 
{Definition of Stop-RAD } 


□ 


H.3.6 Skip 

Theorem T.6.4.16 H^^rad) = SkipAP 
Proof. 

{Definition of Skip^AP)} 
{Lemma IL.H.2.21} 
{Definition of SkipAp} 


Ul(SkipnAT>) 

= HI o RA o A (true h (e)^ c ,(-> y.wait A y.tr = s.tr)) 
= AP (true h (e)^ ,(-< y.wait A y.tr = s.tr)) 
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= Slipup 


□ 


Theorem T.6.4.17 RAl(57ap AP ) = SkippAD 


Proof. 


RAl(SkipAp) 

= RA1 o AP (true b © v ac ,{y-tr = s.tr A -< y.wait )) 

^ -i (true b (g ) v ac ,(y.tr = s.tr A -i y.wait))^ \ 


= RA o A 


b 


\ (true b (g f v ac ,(y.tr = s.tr A -> y.wait))j ) 
= RA o A (truef b {(^f ac ,{y-t r = s.tr A -> y.wait))f) 

= RA o A (true b (^j y ac ,(y-tr = s.tr A -> y.wait )) 


{Definition of Skip ap} 
{Theorem IT. 6.3. 21} 

{Lemma IL.A.2.161 } 

{Substitution} 
{Definition of SkippAP )} 


— Skipp ad 


□ 


H.3.7 Sequential Composition 


Theorem T.6.4.18 Provided P and Q are AP -healthy, 


P >Vac Q 


( -> (Pj ; A true ) A -i (RA1(P}) ; A (-i s.wait A RA2(Qf))) \ 


AP 


ft >A 


b 


\ RAl(Pj) ; A (s G ac' < s.wait > RA2(-> Ql RAl(<3j))) / 


Proof. 


P iVac Q 

AP(P) - Wac AP(Q) 


{Assumption: P and Q are AP-healthy} 

{Theorem IT. H.3. 31} 
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= AP 


( (PBMH (Pf) ; A true) 


\ 


A 




\ - (RAl o PBMH (Pf) (-. s.wait A RA2 o PBMH(ffi))) / 


h 


/ RAl o PBMH(F. 

u 


\ 


/ -i PBMH(Q{) 


= AP 


s G oc' <3 s.wait > RA2 


/ (PBMH(F)j true) 


\ 


\ (RAl o PBMH(<5})) / 


7 


7 


{Lemma IL.E.5.11} 


\ 


A 


\ 


\ - ((RAl(PBMH(F)j)) ^ (-. s.wait A RA2(PBMH(Q)J))) 


h 


( RA1(PBMH(P)} 


iA 


s G ac' <\ s.wait t> RA2 


/ -.PBMH {Q)\ 


\ 


\ RA1(PBMH(<5)}) 7 






{Assumption: P is AP-healthy and Theorem T.H.1.3}- 


= AP 


/ -■ (Pf u ^ue) 


A 


V - ((RAl(Pf)) 


\ \ 

s.wait A RA2(PBMH(<5){))) / 


h 


( RA1(P. 

iA 


f) 


\ 


PBMH(0{ 


\ 


s G ac' <\ s.wait t> RA2 


RA1(PBMH(<5){) 7 






{Assumption: Q is AP-healthy and Theorem T.H.1.3}- 
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= AP 


/ - 1 (Pf u true) 


\ 


A 


\ -i (RAl(Pj) ] A (-n s.wait A RA2(<5/))) / 


h 


( RAlfP 

iA 


V 


\ 


s E ac' <3 s.wait > RA2 


/ ^ Of 


\ RAl(Qj) J 


\ 


J 


□ 


Theorem T.H.3.2 

/ (true < s.wait > P \- s E ac' < s.wait I > Q) \ 

JVac 

\ (true < s.wait \> RL s E ac' < s.wait > S') / 

/ frue < s.wait > -> ((-> P ; A true) V (<5 (“■ s.wait A -</?))) \ 

h 

\ s G ac' < s.wait > (<5 (s G ac' < s.wait > (i? =>• 5))) / 


Proof. 


/ (true < s.wait > P \~ s E ac' < s.wait I > Q) \ 


’>T>ac 


\ (true < s.wait > R \~ s £ ac' < s.wait > S) / 


{Sequential composition of designs} 

/ / -i (-i (true < s.wait > P ) true) \ \ 

A 

\ -i ((s G ac' < s.wait > Q) ] A ^ (true < s.wait > R)) J 
h 

y (s G ac' < s.wait > Q) ] A ((true <3 s.wait > R) ^ (s E ac' < s.wait > S')) / 

{Property of conditional and predicate calculus} 
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f ( * ((false < s.wait > -> P) \ A true ) \ \ 

A 

\ -i ((s £ ad <3 s.wait \> Q) j A (-> s.wait A -> R)) ) 

h 

\ (sG ad <3 s.wait \> Q ) ] A (s E ad <3 s.wait > (R =>■ S)) ) 


{Lemma IL.A.1.21} 
\ \ 


/ / - 1 ((false ] A true ) <3 s.wait > (-1 P ] A true)) 

A 

\ ->((sG ac' (-1 s.wait A -> /?)) <3 s.wait > (Q j A (-1 s.wait A -> i?))) / 

h 


V 


/ (sG ad j A (s E ad <3 s.wait > (R =$■ S)) \ 
<3s.ica<d[> 

\ (<3 (s G ad <3 s.wait > (R =>• S')) / 


/ / -1 ((false ] A true) <3 s.wait \> (-> P ] A true)) 


{Lemma IL.F.6.21} 
\ \ 


A 


h 


((-1 s.wait A -1 i?) <3 s.wait > (Q j A (-> s.wait A -1 i?))) / 

\ 


/ 


/(* G ac' <3 s.wait > (R => S)) 

<s.waitt> 

V (^G ac'< s.wait > (R =$> S ))) / 

{Property of conditional and predicate calculus} 

( ( * ((false ; A true) <3 s.wait > (-> P ] A true)) \ \ 

A 

\ -1 (false <3 s.wait > (Q ] A (-1 s.wait A -> R))) ) 


h 


\ (s E ad) <3 s.wait > (Q (s G ac' <3 s.wait >(/?=>■ S'))) / 


/ / -1 (false <3 s.wait > (-1 P j A true)) \ \ 

A 

\ -1 (false <3 s.wait > (Q ; A (-> s.wait A -> /?))) / 

h 

\ s G ad <3 s.wait > (<5 ;_4 (s G ac' <3 s.wait >(/?=>■ S'))) / 


{Lemma IL.F.l.ll} 


{Predicate calculus} 
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( / (false <3 s.wait > (-< P j A true)) \ \ 

-> V 

\ (false <3 s.wait > (Q j A (-< s.wait A -> R))) ) 

h 

\ s E ac! <3 s.wait > (Q j A (s E ac' <3 s.wait > (i? =>■ S'))) / 

{Property of conditional} 

II I P ',a true ) \ \ \ 

V 

\ (<5 5.4. s.wait A -i 7?)) / 


false <3 s.wait > 


\ 


/ 


h 


\ s E ac' <\ s.wait > (Q j A (s E ac' <3 s.wait [> (72 =>■ S'))) / 

{Property of conditional} 

/ true <3 s.wait > -> ((-> P true) V (<5 (-> s.wait A -> 7?))) \ 

h 

\ s G ac' <3 s.wait > (<J (s G ac' <3 s.wait > (72 =>- S'))) J 

□ 


Theorem T.H.3.3 


AP(P); Cac AP(<5) 


/ 


AP 


/ . (PBMH(Pf) true) 


\ 


A 


\ 


\ - (RAl o PBMH(P) (-. s.wait A RA2 o PBMH(Qf))) / 


h 


/ RAl o PBMH(F) 


\ 


M 


/ - PBMH( Q f f ) 


s E ac' <3 s.wait > RA2 


\ 


\ (RAl O PBMH(0)) / 


/ 


Proof. 


AP(P) ' Wac AP(Q) 


{Theorem IT. 6.2. 91} 
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/ / true < s.wait \> -> RA2 o PBMH(P|) 




h 


\ s G ac' < s.wait t> RA2 o RA1 o PBMH(Pj) ) 


")T>ac 


( true <\ s.wait > -> RA2 o PBMH(Q{ 


\ 


h 


/ 


s 6 ad < s.wait > RA2 o RA1 o PBMH( Qj) ) 


( (RA2 o PBMH (Pj) : A true) 


{Theorem IT. H.3. 21} 


true < s.wait > 


h 


\ 


V 


( RA2 o RAl o PBMH(P|) \ 


V 


iA 


\ (-■ s.wait A RA2 o PBMH(Qj)) ) 


\ 




( RA2 o RAl o PBMHfP 

iA 


f) 


\ 


s G ac' < s.wait > 


/ 

/ - RA2 O PBMH (Q f f ) 

\ 

\ 



s e ac' <3 s.wait > 

=> 



V 

V 

V 

\ RA2 o RAl o PBMH( Qj) 

J 

/ 


= RA3ap 


/ (RA2 o PBMH(P/) ^ true) 


\ 


V 


{Lemma IL.H.l.ll} 
\ 


h 


/ RA2 o RAl o PBMH {Pj) \ 

iA 

\ \ (-i s.wait A RA2 o PBMH(^J)) J J 

( RA2 o RAl o PBMH(P') 

( RA2 o PBMH( Q f f ) 


iA 

( 


\ 


s E ad < s.wait > 


V 


\\ 

'/ 






\ RA2 O RAl O PBMH( Qj) / 

{Lemma IL.G.2.41 and Theorem IT. G.2. 11} 
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/ j RA2(PBMH (Pj) : A true) 


— RA3ap 




RA2 o RAl o PBMH(Pj) \ 

1 

\ \ (-i s.wait A RA2 o PBMH(Q[)) ) 


\ 


) 


h 


f RA2 o RAl o PBMH(P 


V 

/ 


f> 
iA 

( / RA2 o PBMH(Q / / , 

s G ac! < s.wait > 


\ 


\\ 
/ 


/ 7 


— RA3 ap 


V \ RA2 O RAl O PBMH( Qj) / , 

{Lemma IL.G.2.41 and Theorems IT. 5.2. 61 and IT. G.2. 41} 

/ RA2(PBMH(P/) true) \ \ 


V 


RA2 


h 


/ RAl o PBMH(Pj) \ 

iA 

\ (-■ s.wait A RA2 o PBMH(^)) J 




/ RA2 o RAl o PBMH(Pj 


V 

/ 


\ 


iA 

( 


\ 


s £ ac! <3 s.wait > 


/ RA2 o PBMH(<2j) 


V 


\\ 

™ j 


— RA3ap 


\ RA2 o RAl o PBMH(<5j) / 

{Predicate calculus and Theorem IT. 5.2. 71} 
/ (PBMH(Pf) true) \ \ 


RA2 


V 


RAl o PBMH(PJ 


\ 


h 


\ \ (-i s.wait A RA2 o PBMH(^)) ) 




j RA2 o RAl o PBMH(P) 


V 


\ 


’A 

( 


\ 


£ ac! <3 s.wait > RA2 


/-.PBMH(gf) \\ 


V 


\ RAl O PBMH( Qj) 


J J J 


\ \ "J / / / / / 

{Lemmas L.G.2.3 L.G.2.6 and L.G.2.8 and Theorem T.G.2.4 } 
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— RA3 ap 


— RA3 ap 


= RA3ap 


/ 


/ (PBMH (P f f ) : A true ) 


RA2 


\ 


V 


V 


f RAl O PBMH(Pj) \ 

RA2 o PBMH(Qf)) ) 


iA 

\ (-■ s.wait A 


\ 


J 


h 


f RAl o PBMH(P) 

iA 


\ 


RA2 


( 

/-PBMH (Q f f ) \\ 



s £ ac' <3 s.wait > RA2 =>• 

V 

V 

V 

\ RAl o PBMH(Qj) / / 


/ / (PBMH (P f f ) [ A true) 

RAl o PBMH (Pj) 


/ 

{Lemma IL.G.2.151 } 


RA2 


\ 


\ 


h 


\ \ (-1 s.wait A RA2 o PBMH(Qj)) ) 


\ 




( RAl o PBMH(P J 


V 




\ 


I' 
iA 

( ( -i PBMH( Q f 

s £ ac' <3 s.wait > RA2 

V 


\ 


\\ 

™ J 


/ / 


\ RAl O PBMH(Qj) 

{Predicate calculus and Theorem IT . 5.2. 71} 

/ / -. (PBMH(Py) true ) \ ' 


RA2 


A 


\ (RAl o PBMH(P') ; 

h 


n ' A (-i s.wait A 


( RAl o PBMH(F J 

iA 


RA2 o PBMH(^))) j 

\ 




/ 

/ - RA2 O PBMH(Qf) 

\ 

\ 



s £ ac' < s.wait > 




V 

V 

V 

\ RA2 o RAl o PBMH(<5j) 

) 

) 




{Lemma IL.A.l.ll} 
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— RA3 ap 


— RA3 ap 


= RA3 ap 


/ 


O RA2 


/ 


O RA2 


o RA2 


( (PBMH (Pj) true ) 


h 


h 


h 


A 


f RAl o PBMH(Pr 


\ 


5.4 


( (true <3 s.wait > -> RA2 o PBMH(<$)) 




\ \ \ (s E ad < s.wait > RA2 o RAl o PBMH(Qj)) / / 

{Theorem IT. 5.2.101 } 

( (PBMH(ij) ; A true) 


A 


/ RAl o PBMHfh' 


\ 


iA 


( (true <3 s.wait > -< RA2 o PBMH(<$)) 




\ \ \ (s £ ad < s.wait > RAl o RA2 o PBMH(Qj)) / / 

{Lemma L.G.1.6 and predicate 

( 


{Lemma L.G.1.6 and predicate calculus} 
( . (PBMH(Pj) ; A true ) 


A 




\ - (RAl o PBMH(Pj) ; A (-. s.raii A RA2 o PBMH(Qf))) / 




\ - (RAl o PBMH(Pj) (-. s.wait A RA2 o PBMH(tf))) / 




\ - (RAl o PBMH(Pj) (-. s.wait A RA2 o PBMH(Qf))) ) 


( RAl o PBMH(Pj) 

(true <3 s.wait > -> RA2 o PBMH(Q()) 


\ \ \ ((s E ad <3 s.wait > RAl o RA2 o PBMH(Qj)) A ad ^ 0) 

{Theorem IT .5.2. 5l and Lemma IL.F.2.91 } 
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— RA3ap 


— RA3ap 


/ 


RA2 


3 RA2 


f (PBMH(Pj) true ) 


h 


/ 


h 


\ 


A 


\ (RAl o PBMH(P}) (-1 s.wait A RA2 o PBMH(tf))) / 


( 


/ RAl o PBMH(FJ 


\ 


iA 


\ -i (true < s.wait > -> RA2 o PBMH(ffi)) / 


V 


/ RAl o PBMH(P| 




5.4 


/ (true < s.'woil > -i RA2 o PBMH(Q[)) 


\ 


\ \ (s G ac' < s.wait > RAl o RA2 o PBMH(Qj)) / J 
y A ad ^ 0 

{Property of conditional and predicate calculus} 


/ - (PBMH(Pj) true) 


\ 


A 


\ - (RAl o PBMH(F|) (-. s.wait A RA2 o PBMH(^))) J 


j (RAl o PBMH(P}) (-, s.wait A RA2 o PBMH( Q f f ))) 


V 


/ 


/ RAl o PBMHf Pj 


lA 


/ (ir«e < s.wmt > RA2 o PBMH(Q()) 


\ 


\ \ (s E ac' < s.wait > RAl o RA2 o PBMH(Qj)) J J 
y A ac' 7 ^ 0 

{Property of designs and predicate calculus} 
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= RA3ap 


= RA3ap 


= RA3ap 


/ 


O RA2 


f (PBMH (Pj) true ) 




A 


\ 


\ - (RA1 o PBMH(Pj) (-. s.wait A RA2 o PBMH(Qf))) / 


h 


/ 


/ RA1 o PBMH(P| 


\ 


lA 


/ (frwe < s.wflil D> -i RA2 o PBMH(Q!)) 


\ 


\ \ (s G ad < s.wait \> RA1 o RA2 o PBMH(Qj)) / / 
^ A ac' 7 ^ 0 

{Definition of AO} 


( 


o RA2 o AO 


RA2 o AO 


( (PBMH(Pf) ;a true) 


\ 


A 


/ RA1 o PBMH(Pf 




>.4 


\ (-■ s.wait A RA2 o PBMH(ffi)) ) 


h 


/ RAl o PBMH! Pf 




( (true < s.wait > -> RA2 o PBMH(^)) 


\ 


/ 


/ - (PBMH(Ff) true) 


\ 


A 


/ RAl o PBMH(D 


\ 


5.4 


\ (-■ s.wait A RA2 o PBMH(ffi)) ) 


h 


/ RAl o PBMH! Pj 


iA 


s G ac' <\ s.wait > 


/ RA2 o PBMH(<$ 


\ 


\ (RAl o RA2 o PBMH(<2j)) / 
{Lemma IL.E.4.51 and Theorem IT .F.3.11} 


\ 


\ 


\ 


\ \ \ (s G ac' < s.wait > RAl o RA2 o PBMH (Qj)) J J / 
{Predicate calculus and property of conditional} 


\ 


\ 
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— RA3 ap 


— RA3 ap 


— RA 3N 2 


A 


RA2 o AO 


/ / PBMH(PBMHf^) true) \ 

/ RA1 o PBMH(Pj) \ 

’A 

\ \ (-1 s.wait A RA2 o PBMH(Qj)) ) 


\ 


h 


( RAl o PBMH(P j 

iA 


\ 


\ 


( RA2 o PBMH(Qf) \ 

s G ac! < s.wait > =>• 

x V \ (RAl O RA2 O PBMH(Qj)) ) ) ) 

[Theorems T.E.3.1 , T.F.3.1 T.5.2.5| and T.5.2.11 and Lemma L.E.4.5 [ 

/ / PBMH(PBMH(P/) ^ true) \ \ 


RA2o AO 


A 


/ RAl o PBMH(P 


PBMH 


V 

h 




J A 

\ (-■ s.wait A RA2 o PBMH((^)) / 




( RAl o PBMH(P) 

iA 


\ 


l RA2 o PBMH(<$) 


s G ad <3 s.wait \> 


\ 


\ 


x x \ (RAl o RA2 o PBMH(Qj)) / 

{Theorems IT. 5.2. 51 and IT. 5.2. Ill and Lemmas IL.E.4.31 and IL.E.4.91} 

/ / PBMH(PBMH(P/) true ) \ 


AO 


V 


PBMH 


/ RAl o PBMH(P 


\ 


h 


>A 

\ (-■ s.wait A RA2 o PBMH((^)) / 



/ RAl O PBMH (Pj) 


\ 


iA 

( 

/ RA2 o PBMH(Q|) \ 

\ 


PBMH 

s G ac' <3 s.wait > 

=> 


V 

V 

V 

^ (RAl o RA2 o PBMH(<Jj)) / 

/ / 


{Theorem IT. E.2. 21} 
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— RA 3 n,2 


— RA 3N 2 


/ 


o AO 


/ (PBMH (Pf) ; A true ) 


PBMH 


V 


/ RAl o PBMH(P| 


\ 


iA 


\ (-■ s.wait A RA2 o PBMH(ffi)) / 




h 


( RAl o PBMH (Pj 


\ 


iA 


PBMH 


/ s E ad 
<s.wait> 

( RA2 o PBMH (Q f f ) 


V V 
/ 


\ 


\ 


V \ (RAl o RA2 o PBMH(<5j)) / / / / 

{Theorems IT. F.3. II and IT. 5.2. 51} 


o AO 


( (PBMH(rf) ^ true) 


PBMH 


\ 


V 


/ RAl o PBMH(F| 


\ 


iA 


h 


\ (-i s.wait A RA2 o PBMH(<^)) J 
( RAl o PBMH(P 


PBMH 


iA 


PBMH 


f> 

( s E ad 
<s.wait> 

( RA2 o PBMH(<5{ 




V \ (RAl o RA2 o PBMH(Qj)) ) ) ) 

{Definition of A1 and A} 
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— RA3N 2 0 


— RA3N 2 0 


/ 


A 


( (PBMH (Pj) ; A true ) 




V 


l RA1 o PBMH(Pf 




iA 


\ (-■ s.wait A RA2 o PBMH(Qf)) / 




h 


/ RA1 o PBMH(P‘ 




iA 


PBMH 


/ s G ac! 

<\s.wait\> 

( RA2 o PBMH(Qf) 


\ 


\ 


V V V \ (RA1 O RA2 O PBMH(Q')) J J J J 

{Theorems IT. 5.2. 51 and IT. 5.2. Ill and Lemmas IL.E.4.31 and IL.E.4.91} 


/ 


A 


( (PBMH (Pj) true ) 


\ 


V 


l RAl o PBMH (Pj 


\ 


iA 


\ (-■ s.wait A RA2 o PBMH(Qj)) / 


\ 


/ 


h 


/ RAl o PBMH(P‘ 




5.4 


s G ac' < s.wait > 


/ RA2 o PBMH(Q{) 








\ (RAl o RA2 o PBMH(<5{)) 

{Predicate calculus and Theorems IT. 5. 2.101 and IT. 5.2. 71} 
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( 


= RA 


3N,2 


A 


( (PBMH(Pf) true ) 




A 


/ RAl o PBMH^ 


\ 


iA 


\ (-1 s.wait A RA2 o PBMH(ffl) / 


\ 


h 


( RAl o PBMHfP; 




iA 


s G ac' < s.wait \> RA2 


( -i PBMH(Qf) 




/ 


/ 


= AP 


/ - (PBMH(Pf) ^ irue) 


\ (RAl o PBMH(Q')) 

{Lemma IL.H.l.lil} 

\ 


\ 


A 


/ RAl o PBMHf Pi 


\ 


iA 


\ (-■ s.wait A RA2 o PBMH(Q|)) J 


h 


/ RAl o PBMH(Pf 


\ 


iA 


f -i PBMHf qI) 


s G ac' <\ s.wait > RA2 


\ 


\ (RAl O PBMH(Qj)) 


Lemma L.H.3.4 


□ 


P bac Cha0S - 


AP 


( -■ (Pj ; A true ) A -■ (RAl(P^) j A —> s.wait ) ^ 


AP 


P ’A 


h 


\ RAl (Pj) ; A (s G ac’ V -i s.wait ) 


Proof. 


P bac Chaos AP 


{Definition of ChaosAP (Lemma L.6.4.1)} 
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= P ] Vac ( s.wait b s G ac') 

{Assumption: P is AP-healthy and Theorem T.6.4.18 }- 
/ -i (Pj j A true ) A -i (RAl(Pj) ; A (-< s.wait A RA2(-< s.wait))) ^ 


= AP 


b 


\ RAl(Pj) ;_4 (s G ac 7 < s.wait \> RA2 (s.wait => RAl(s G ac 7 ))) / 

{Predicate calculus and Theorem IT. 5.2. 71 } 

/ -i (Pj j A true) A -i (RAl(Pj) ; A (-< s.wait A RA2(-> s.wait))) ^ 

= AP I b 

\ RAl(Pj) (s G ac 7 < s.wait > RA2(-> s.wait) V RA2 o RAl(s G ac 7 ))) / 

{Definition of RA2 and substitution} 

^ -i (Py true) A -i (RAl(Pj) (-> s.wait A -< s.wait)) ^ 

= AP b 

\ RAl(Pj) (s G ac 7 < s.wait > -> s.wait V RA2 o RAl(s G ac 7 ))) / 

{Predicate calculus: absorption law} 

^ -i (Pj true) A -i (RAl(Pj) -i s.wait) ^ 

= AP b 

\ RAl(Pj) ] A (s G ad <\ s.wait > trite) / 


= AP 


= AP 


/ -i (Pj j A true) A -i (RAl(Pj) -i s.wait) ^ 

b 


\ RAl(Pj) ((s.wait A sG ac 7 ) V (-> s.wait)) j 
( -■ (Pj true) A -■ (RAl(Py) “i s.wait) \ 


{Property of conditional} 
{Predicate calculus} 


b 


\ RAl(Pj) ;_4 (s G ac 7 V -i s.wait) J 


□ 


Lemma L.H.3.5 


Skip ap LI ap Stop ap 


( true \ 

b 


( 

/ (&f ,(y-tr = s.tr A -i y.wait) 

\ 

\ 

s G ad < s.wait > 

A 



V 

V (D lc'(y- tr = s - tr A y- wait ) 

J 

/ 
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Proof. 


SkipAP U A p Stop AP {Definition of Skip A p and Stop A p} 

/ AP (true h (G ') y ac ,(y.tr = s.tr A -i y.wait )) \ 

= l_l AP {Lemma IL.H.l.lOl } 

\ AP (true h (e)^ c ,(f/.£r = s.tr A y.wait )) / 

/ (true h s € ac! < s.wait > (ff) v a ,(y.tr = s.tr A -> y.wait )) \ 

— U A p 

\ (true b s G ac' <\ s.wait t> (G ) y ac ,(y.tr = s.tr A y.wait )) / 

{Definition of l_l A p and conjunction of designs} 

/ true V trae \ 

b 

(true A s G ac' <1 s.wait > (^ff ac ,(y-tr = s.tr A -> y.wait )) 

A 

\ (true s G ac' < s.wait \> (§) y ,(y-tr = s.tr A y.wait )) / 

{Predicate calculus} 

/ trae \ 

b 

(s G ac' < s.wait t> (fff ,(y.tr — s.tr A -> y.wait )) 


A 


\ (sG ac' < s.wait > (fff a ,(y.tr = s.tr A y.wait )) / 


/ frue 
b 

/ 


{Property of conditional} 

\ 


/ (&f ac ,(y-tr = s.tr A -i y.wait ) \ 


s G ac' < s.wait > 


A 


\ 


V (D V a C '(y- tr = s - tr A y- wait ) ) 


o: 


Lemma L.H.3.6 (SXbp AP U AP Stop AP ) ; X , QC Chaos AP = Stop AP 


Proof. 


(Skip AP U AP Stop AP ) ] Vac Chaos AP 


{Lemma IL.H.3.51} 
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/ / true 

h 


\ 


V 

I'Dac 

\ ChaosAP 


/ 

/ (e)^ ,(y.tr = s.tr A -i y.wait) \ 

\ 

s G ac' <3 s.wait > 

A 


V 

\ © V ac Xv- tr = s.tr A y.wait) / 

/ 


\ 


{Lemma IL.H.3.41} 


= AP 


( -i (false true) 

A 



/ 

/ 

( © v a Ay- tr = s - tr A ^ y- wait ) \ 

\ \ 


RAl 

s G ac' < s.wait > 

A 


—1 


\ 

\ ©L(^- tr = s - tr A / 

/ 


iA 

\ -i s.wait 


h 


/ 


V 


s G ac’ <\ s.wait \> 


iA 


( ©L'(2/‘ ir = s.tr A y-wait) \ \ 
A 

V ©L© tr = s - tr A v- wait ) / 


\ (s G ac' V -i s.wait) 




{Lemmas |L.G.1.14| |L.G.1.15] and |L.G.7.15] and Theorem |T.5.2.2|| 

/ ( ~ 1 (false ;_4 true) \ \ 

A 

\ 


= AP 



/ 

/ 

/ (*sf ac Xy-tr = s.tr A -i y.wait) \ \ 



s G ac' <3 s.wait > 

A 

— i 


V 

\ ©L© tr = s-tr A y.wait) ) / 


>.A 

\ -i s.wait 


h 


/ 


/ (&f a ,(y.tr = s.tr A -> y.wait) \ 


s G ac' <3 s.wait > 


A 


\ 


V © V ac'(y- tr = s.tr A y.wait) ) 


iA 

\ (s G ac' V -i s.wait) 






{Lemma, L.F.1.1 and predicate calculus} 
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= AP 


/ / 


s G ac' <3 s.wait > 


V 

>-4 

\ -i s.wait 


E) y ,(y.tr = s.tr A -i y.wait) \ \ 


A 


\ 


\ ©1 j(y-tr = s.tr A y.wait) ) ) 


\ 


h 


/ 


/ (&f ,(y.tr = s.tr A -i y.wait ) \ 


s G ac' <3 s.wait > 


A 


\ 


V © v aC '(y- tr = s - tr A y- wait ) J 


iA 

\ (s G ac' V -i s.wait) 






{Lemmas IL.F.1.41 and IL.F.1.51} 


= AP 


h 


/ 

( (© V a'(y- tr = s -^ r A ^ y- wa tt) \ A s.wait) ^ 

\ 

(s G ac' -i s.wait) < s.wait > 

A 



V 

V (©L©^ = s.tr A y-wait) \ A -i s.wait) / 

/ 

(s G ac' (s G ac' V -i s.wait)) 

\ 



<s.wait> 




( (©L©^ = s.tr A -i y.wait) \ A 

(s G ac' V - 1 s.wait)) \ 




\ 


A 




\ ((G)^ c ,(y.tr = s.tr A y-wait ) (s G ac' V s.wait)) j 

{Definition of (G©,, and substitution} 


/ 

/ 

/ (3 ?/ • y.tr = s.tr A -i y.wait A -< y.wait) \ 

\ 

\ 

— 1 

(-■ s.wait) <3 s.wait > 

A 




V 

\ (3 y • y.tr — s.tr A y.wait A -i y.wait) / 

J 



= AP 


h 




/(* G ac' V - 1 s.wait) 

<s.wait> 

/ (3 y • y.tr = s.tr A -i y.wait A (j/ G ac' V n y.wait)) \ 

A 

\ (3 y • y.tr = s.tr A y.wait A (i/ G ac' V ^ y.wait)) J 

{Predicate calculus} 


/ 
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= AP 


/ -l (l -1 s.wait ) < s.wait > false) 
b 

/(• G ac' V -i s.wait) 

<\s.wait> 

( ( (3 y • y.tr = s.tr A -> y.wait A y E ac') \ \ 
V 

\ (3 y • y.tr = s.tr A -i y.wait) 


\ 


\ 


\ 


) 


A 


V 


/ 






= AP 


/ (3 y • y.tr — s.tr A y.wait A y E ac') \ 

V 

\ (3 y • y.tr — s.tr A y.wait A -> y.wait) ) 

{Property of conditional and predicate calculus} 

/ true \ 

h 

( (s E ac') \ 

<s.wait> 

( / (3 y • y.tr — s.tr A -i y.wait A y E ac 1 ) \ \ 

V 

\ (3 y • y.tr = s.tr A -> y.wait) 


\ 


\ 


J 


A 


V 


/ (3 y • y.tr = s.tr A y.wait A y E ac') \ 
V 

\ (3 y • y.tr = s.tr A y.wait A -> y.wait) J 


J 


/ 


/ 


= AP 


/ true 

b 

( (s E ac') 

<\s.wait> 

( ( (3 y • y.tr = s.tr A -> y.wait A y E ac') \ \ 
V 

\ (3 y • y.tr = s.tr A -> y.wait) 


{Predicate calculus} 


V 




V 


) 


A 


J 


) 


) 


\ (3 y • y.tr = s.tr A y.wait A y E ac') 

{Predicate calculus: absorption law} 
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= AP 


/ true 
b 

( (s G ac ') 

<s.wait> 

/ (3 y • y.tr = s.tr A -> y.wait ) 


= AP 




V 




V 


A 


\ (3 y • y.tr = s.tr A y.wait A y G ac') J 


{Predicate calculus} 

\ 


/ true 
b 

\ s e ac' < s.wait > (3 y • y.tr = s.tr A y.wait A ye ac') / 

{Definition of (e) 27 ,} 


/ true \ 

= AP b 

\ s 6 ac' <] s.wait > {(§ff d {y-tr = s.tr A y.wait )) / 
= AP(frne b (e ,(y-tr = s.tr A y.wait )) 

= S t op AP 


{Lemma lb. II. 1 .91 } 
{Definition of S'topAp} 


□ 


Linking 

Theorem T.6.4.19 Provided P and Q are reactive angelic designs, 

RAi(Hi(r),wHi(<?))cr,wQ 

Proof. 

RA1(H1(P) ;„„H1(Q)) 


{Assumption: P and Q are RAD-healthy and Lemma L.11.2.51 


= RA1(AP(- RAl(P') h Pj) ; Vac AP(-< RA1(($ h Q})) 

{Theorem IT.H.3.31 and Lemma IL.H. 1.111} 



















H.3. OPERATORS 


821 


= RAlo AP 

( 

= RA o A 

V 

( 

= RA O A 

V 


/ 


/ . (PBMH O RAl (pf) ; A true ) 


A 


( RAl o PBMH(P| 




lA 


\ (-1 s.wait A RA2 o PBMH o RAl(Qr)) J 


\ 


h 


/ RAl o PBMH(F‘ 


\ 


iA 


s G ac' < s.uiait t> RA2 


/ PBMH o RAl (Q f f ) \ 


/ 


/ 


\ (RAl O PBMH(Qj)) 

{Theorem IT. 6.3. 21} 


( (PBMH o RAl(Pj) true) 


\ 


A 


/ RAl o PBMH(F( 


\ 


5.4 


\ (-i s.wait A RA2 o PBMH o RAl((A)) ) 


\ 




( RAl o PBMH(F| 


\ 


iA 


s G ac' < s.wait > RA2 


V 


/ - PBMH O RAl (Qf) \ 


\ (RAl o PBMH (Qj)) / 






{Assumption: P and Q are RAD-healthy and Theorem T.5.2.21 } 

{Lemma IL.E.5.11 and Theorem IT. 5.2. 51} 


( -i (RAl(Pj) ; A true ) 


\ 


A 


\ 


\ -i (RAl(Pj) ] A (-i s.wait A RA2 o RA1(Q^))) / 




/ RAl (Pi 




iA 




\ s £ ac' < s.wait > RA2(-> RAl(C^) =>- RAl(Qj)) / 

{Predicate calculus and Theorem IT. 5.2. 31} 
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( 


= RA o A 


( -i (RAl(Pjp) ] A true) 


\ 


A 


\ 


\ -i (RAl(Pj) ' A (-1 s.wait A RA2 o RA1(Q/))) / 


h 


\ RAl(Pj) ] A s G ad <3 s.wait > RA2 o RAl(-> Qj =>• Qj ) / 


{P is RAD-healthy, Theorem T.5.2.21 and Lemma L.G.1.30 and weaken precondition} 


/ 


CRAoA 


/ (RAl(Pf) ^ RAl(true)) 


\ 


A 


\ 


\ -i (RAl (Pi) ] A (-i s.wait A RA2 o RA1((5*))) ) 


h 


\ RAl(Pj) ] A s E ad <3 s.wait \> RA2 o RAl(n Qj =»■ Qj) / 

(Assumption: P and Q are RAD-healthy and Theorem T.5.4.21 f 


— P iVac Q 


□ 


Theorem T.6.4.20 Provided P and Q are AP -healthy, 


H1(RA1(P) ; Vac RA1(Q)) □ P ; Vac Q 


Proof. 


H1(RA1(P) ' Wac RA1(Q)) (Assumption: P and Q are AP-healthy} 

= H1(RA1 o AP(P) ; Vac RAl o AP(Q)) (Theorem IT.6.3.21} 

= H1(RA o A(-< Pj h Pj) ] Vac RA o A(-i Qj h Qj)) (Theorem |T5. 4.211 } 


/ 


= HI o RA o A 


l (RAl (Pj) ] A RAl (true)) 


\ 


A 


V - (RA1(P. 


\ 


f) ’A 


s.wait A RA2 o RA1(Q£))) / 


h 


\ RAl(Pj) ] A ( s G ad <3 s.wait > (RA2 o RAl(-> Qj =>■ Qj))) ) 

(Theorem IT. 5.2.201 and Lemma IL.H.2.41} 



( 

( 

/ - (RAl (Pj) ; A RAl (true)) \ 

\ \ 


-i RAl o PBMH 

— 1 

A 


AP 



y -i (RAl(Pj) ; A (-i s.wait A RA2 o RAl(Qj))) / 

/ 


h 

\ RA1(P}) ] A (s G ad <] s.wait > (RA2 o RAl(-> Qj =>• Qj))) / 


(Predicate calculus} 
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= AP 


= AP 


= AP 


= AP 


/ 


RA1 o PBMH 


/ (RA1 (Pj) ] A RA1 (true)) 


\ \ 


V 


\ (RAl(Pj) \ A (-1 s.wait A RA2 o TLAl(Qj))) / 


h 


\ RAl(Pj) j A ( s G ad <\ s.wait > (RA2 o RAl(-> Qj =A Qj ))) ) 

{Theorem IT. E.2.21} 

/ / PBMH(RA1(P/) RA1 (true)) \ \ 


RA1 


V 


\ PBMH(RAl(Pj) (-. s.wait A RA2 o RAl(Q^))) ) 


h 


J 


\ RA1 (Pj) ] A (s G ad < s.wait \> (RA2 o RAl(-i Qj =A Qj))) 

{P and Q are AP-healthy and Theorem T.H.1.3 } 

{Lemma IL.E.5.11 and Theorems IT. 5.2. 51 and IT. 5.2. Ill } 
/ / PBMHfPBMH o RA1 (Pj) ] A RA1 (true)) \ \ 


RA1 


V 


/ PBMH o RA1(P/ 


PBMH 


V 


\ 


iA 


\ (-■ s.wait A PBMH o RA2 o RA1(<5^)) / 


7 


h 


\ RAl(Pj) ] A ( s G ad <\ s.wait > (RA2 o RAl(-< Qj =A Qj))) J 

{Lemma IL.E.4.11 and Theorems IT. F.3. II and IT. 5.2. 51} 

( f (PBMH o RA1 (Pj) ; A RA1 (true)) \ \ 


RA1 


V 


/ PBMH o RA1(P/ 


PBMH 


V 




’A 


y (-> s.wait A PBMH o RA2 o RAl(Qj)) J 




\- 


y RAl(Pj) j A (s G ad <\ s.wait > (RA2 o RAl(-i Qj => Qj))) J 

{Lemma IL.E.4.51 and Theorems IT. E.3. II and IT. F.3. 11} 
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= AP 


= AP 


= AP 


= AP 


= AP 


/ (PBMH o RA1 (Pj) ] A RA1 (true)) \ \ 

V 

-< RAl / PBMH O RAl(Pj) \ 

U 

\ \ (-> s.wait A PBMH o RA2 o RAl (Qj)) J J 
b 

v RAl(Pj) \ A (s G ad < s.wait > (RA2 o RAl(-< Qj => Qj))) J 

{P and 0 are AP-healthy and Theorem T.II. 1.3 } 
{Lemma IL.E.5.11 and Theorems IT. 5.2. 51 and IT. 5.2. Ill } 

RAl(Pj) ; A RAl (true)) \ \ 

RAl I V 


(RAl(Pj) j A (-i s.wait A RA2 o RAl(Qj))) ) 


b 


RAl(Pj) j A (s G ad < s.wait > (RA2 o RAl(n Qj =>• Qj))) J 

{Theorem IT. 5.2. 31} 


( RAl (RAl (Pj) ] A RAl (true)) 


\ \ 


V 


\ RAl (RAl (Pj) \ A (-i s.wait A RA2 o RAl((^j)) / 


b 


RAl (Pj) ;_4 (s G ad < s.wait t> (RA2 o RAl(-i Qj => Qj))) J 

{Theorem IT. 5. 2.101 } 

/ RAl (RAl (P f f ) RAl (true)) \ \ 

- V 


\ RAl (RAl (Pj) ] A (-i s.wait A RAl o RA2(Qj))) / 


b 


RAl (Pj) ', A ( s G ad < s.wait > (RA2 o RAl(-i Qj => Qj))) J 

{Lemma IL.G. 1.161 and Theorem IT. 5.2. 41} 


( (RAl(Pj) ; A RAl (true)) 




V 


\ 


\ (RAl(Pj) \ A (-i s.wait A RAl o RA2 (Qj))) ) 


b 


RAl(Pj) j A (s G ad < s.wait > (RA2 o RAl(-> Qj =>• Qj))) J 

{Theorem IT. 5. 2.101 } 
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= AP 


= AP 


□ AP 


= AP 


□ AP 


f / (RA1 (P f f ) ; A RA1 (true)) 


( 


\ 


V 


\ 


h 


\ (RA1 (Pj) ; A (-1 s.wait A ± 1 ^.^ u 

RA2 o RAl(-i Qj => Q}))) ) 


RA2 o RA1 (Qj))) / 
v RAl(Pj) ] A (s G ac 7 <3 s.wait > ( 

f ( - (RAl(Pf) RAl(tnm)) 

A 

y -1 (RAl(Pj) \ A (-i s.wait A RA2 o RA1(Q^))) / 
u 


{Predicate calculus} 

\ \ 


h 


v RAl(Pj) ] A (s G ad <3 s.wait > (RA2 o RAl(-i Qj => Q}))) ) 

{P is AP-healthy and Theorem T.H.1.3 and Lemma L.E.5.1 } 

{Lemma L.G.1.30 and strengthen precondition} 
( -i (RA1 (Pj) ; A true ) \ \ 


A 


y -1 (RAl(Pj) ' A (-1 s.wait A RA2 o RA1(£^))) / 


h 


v RA1 (Pj) j A (s G ad <3 s.wait t> (RA2 o RAl(-i Qj => Qj))) / 


* / -i (RAl(Pj) true) 


' ~ J ' ' ' ' 

{Lemmas IL.G.l.lOl and IL.G. 1.331 } 
\ \ 


A 


\ -i (RA1(P}) (-1 s.wait A RA2(<5^) A RAl(trite))) / 


h 


v RAl(Pj) ;_4 (s G ac 7 <3 s.wait t> (RA2 o RAl(-< Qj => Qj))) J 

{P is AP-healthy and Theorem T.H.1.3 and Lemma L.E.5.1 } 

{Lemma L.F.1.6 and stregthen precondition} 
( ( -> (RA1 (Pj) ] A true ) \ \ 


A 


\ -1 (RAl(Pj) (-1 s.wait A RA2((^))) / 


h 


y RA1(P}) j A ( s G ad <3 s.wait t> (RA2 o RAl(-> Qj => Qj))) J 

{Predicate calculus and Theorems IT. 5.2. 31 and IT. 5.2. 71} 
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= AP 


= AP 


= AP 


f ( -i (RA1(P{) true) 


\ \ 


A 


V - (RAl(P j 


/) iA 


s.wait A RA2((^))) ) 


h 


RAi {P}) ; A 


s G ac' 

<s.wait> 

( RA2 o RAI (Qf) \ 


\ 


V 


V RA2 O RA1(Q{) / 

( -i (RAl(P^) ] A true ) 






{Lemmas IL.G.l.lOl and IL.G. 1.331 } 

\ \ 


A 


V - (RA1(P 


/) 'iA 


s.uiait A RA2(g}))) J 


h 


RAI {p}) ; A 


V 


s G ac' 

<s.wait> 

( (RA2(Q£) A RAI (true)) \ 


\ 


V 


V 


( ( - (RA1(P: 
A 


\ RA2 o RAl(gj) 

u true ) 


/ 






\ 


V - (RA1(P 


/) 'iA 


{Predicate calculus} 

\ 


s.wait A RA2(g{))) ) 


h 


RA1 (Pj) \ A 


s G ac' 

<s.wait\> 

(RA2(Q f f ) V RA2 o RAl(QJ)) \ 


\ 


A 


/ 


7 


(RAl(lr«e) V RA2 o RAl(Qj)) / 

{Property of conditional} 
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= AP 


= AP 


= AP 


( -i (RAl(Pj) ] A true) 


\ 


A 


\ -i (RAl(Pj) ] A (-1 s.wait A RA2(^())) ) 


b 


/ (s G ad < s.wait > (RA2(<$) V RA2 o RA1(<$))) \ 


RA1 (Pj) ; 


’A 


V 


A 


\ (s G ad <\ s.wait \> (RA1 (true) V RA2 o RA1(Q/))) / 


/ 


(RAl(Pj) \ A true) 


{Lemma L.F.1.6 and weaken postcondition} 

\ \ 


A 


(RA1(P{) ‘ A (-1 s.wait A RA2 (Qj))) ) 


b 


\ RAl(Pj) ] A (s G ad < s.wait > (RA2(Qj) V RA2 o RAl(<5j))) / 


{Theorem T.5.2.7 and predicate calculus} 


( -i (RAl(Pj) ] A true) 


\ 


A 


\ 


\ -i (RAl(Pj) ] A (-i s.wait A RA2(Qf))) ) 


b 

\ RAl(Pj) \ A (s G ad < s.wait > RA2(-> Qj =>- RAl(Qj))) J 


{Assumption: P and 0 are AP-healthy and Theorem T.H.3.3} 


— P iVac Q 


□ 


Theorem T.6.4.21 Provided P and Q are reactive angelic designs and NDrad- 
healthy, 

RA1(H1 (P); Vac HI (Q)) = P hoc Q 

Proof. 

RA1(H1(P) ] Vac H1(Q)) {Assumption: P and Q are RAD-healthy} 

= RA1(H1 o RAD(P) ; Vac HI o RAD(Q)) {Theorem HX5J} 

= RA1(H1 o RA o A (true b Pj) ' Wac HI o RA o A (true b Qj)) 

{Lemma IL.H.2.21} 

= RAl(AP(true b P}) ] Vac AP (true b Qj)) {Theorem IT. H.3.51 } 
























828 


APPENDIX H. ANGELIC PROCESSES 


= RAl 


= RAl 


= RAl 


= RAl 


/ 


AP 


/ -i (PBMH o RAl (false) ] A true ) 


b 


3 AP 


b 


3 AP 


b 


\ 


A 


/ RAl o PBMH(P! 


V 




iA 


\ (-i s.wait A RA2 o PBMH o RAl (false)) ) 


\ 


l RAl o PBMH(P 

iA 


f) 


\ 


f -i PBMH o RAl (true) \ 


s G ac! <3 s.wait > RA2 


/ 


/ 


( ( * (false ] A true) 


V (RAl o PBMH (Qj)) / 

{Lemmas |L.E.4.5 L.G.1.9 and L.G.2.4 } 

\ \ 


A 


\ -i (RAl o PBMH(Pj) ] A (-i s.wait A false)) J 


( RAl o PBMH(P 

u 


f) 


\ 


( -i false 


s G ac' <3 s.wait > RA2 




/ 


/ 


/ / -i (false ] A true) 


\ (RAl o PBMH(Q')) / 

{Predicate calculus} 

\ 


A 


\ - (RAl o PBMH(P() false) 


\ 


\ RAl o PBMH(Pj) ;_4 (s e ac’ < s.wait \> RA2 o RAl o PBMH(Qj)) ) 


{Definition of RAl, ] A and substitution} 


AP 


( ( * (false ] A true) \ 

A 

\ -i false 
b 


\ 


\ RAl o PBMH(Pj) \ A (s E ac' < s.wait > RA2 o RAl o PBMH(Qj)) J 

{Lemma L.F.1.1 and predicate calculus} 
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= RA1o AP 


/ true 
b 


\ 


\ RAl O PBMH(P;) (s G ac' < s.wait > RA2 o RAl o PBMH(gj)) 

{Theorem IT. 6.3. 21} 

/ true \ 


= RA o A 


b 


\ RAl o PBMH(Pj) ] A (s G ac' < s.wait > RA2 o RAl o PBMH(Qj)) / 


{Assumption: P and Q are RAD-healthy and NDrad and Theorems T.5.2.21 and T.G.6.1 } 

= P VDac Q 


□ 


Closure 

Theorem T.6.4.22 Provided P and Q are angelic processes and NT) -healthy, 
NDap(.P ’,Dac Q) — P )T>ac Q 


Proof. 


P iVac Q 

( true 
b 


{Assumption and Theorem T.H.3.4} 


\ 


( 


\ 


( RA2 o RAl o PBMH {Pj 


s G ac 1 < s.wait > 


V 


lA 


\\ 

m '/ 


/ true 
b 

/ 


\ (sG ac 1 < s.wait \> true =>■ RA2 o RAl o PBMH( [Qj)) ) 

{Lemma IL.H.3.71} 


/ RA2 o RAl o PBMH(Pf 


iA 


s G ac 1 < s.wait > 


\ 


\ 


\ (sG ac’ < s.wait > true =>- RA2 o RAl o PBMH( Qj)) ) 


A 


\ RA1(/ 


rue 


{Property of conditional} 
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( true 

h 


\ 


/ RA2 o RAl o PBMH(F| 


s G ac' <3 s.wait > 


\ 


iA 


\ (s £ ac' <3 s.wait > true =>- RA2 o RAl o PBMH( Qj)) ) 


\ 




A 


\ (sG ac' <3 s.wait > RAl(frae)) 


{Predicate calculus} 


/ true 

h 


true 


A 


\ 


/ RA2 o RAl o PBMH(F 


s G ac' <3 s.wait > 




5.4 




/ s £ ac' 

<s.wait> 

\ true => RA2 o RAl o PBMH( Qj) / 


\ (true 4(sG ac' <3 s.wait > RAl (true))) 

/ (true h s G ac' <3 s.wait > RAl (true)) 

A 

/ trite 

h 


{Conjunction of designs} 

\ 




/ RA2 o RAl o PBMH(F} 


s £ ac' <3 s.wait > 


V 


\ 


5.4 

/ s £ ac' 


\ 






<s.wait> 

\ \ true =>- RA2 o RAl o PBMH(Qj) / J 

{Assumption and Theorem T.11.3.4 [ 

/ (true h s G ac' < s.wait > RAl(true)) \ 

{Definition of Choice A p} 


A 

V ^ U>ac *3 

Choicexp A (P ; Pac Q) 
Choice A p U A p (P ;x, ac <3) 
ND ap (F \ Vac Q) 




{Definition of U A p} 
{Definition of ND A p} 


□ 
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Theorem T.H.3.4 Provided P and Q are angelic processes, 


ND ap (P) 

iT)ac nd ap (Q) 


/ true 


h 


\ 


s G ac! <3 s.wait > 

V 


/ RA2 O RA1 O PBMH(Pj) \ 

>A 

^ (s G ac' <\ s.wait > RA2 o RA1 o PBMH( Qj)) J 




Proof. 


ND A p(P) 

1'Dac ND ap(Q) 

= ( Choice af U ap P ) ; Cac (Choice U AP P) 


{Definition of ND AP } 


{Assumption: P and 0 are AP-healthy and Theorem T.6.2.10 [ 
(true h s G ac' <3 s.wait t> RA2 o RA1 o PBMH(Pj)) \ 

l'Dac 

(true h s G ac' < s.wait t> RA2 o RA1 o PBMH(<Jj)) J 

{Property of conditional} 

( (true <\ s.wait > true h s E ac' < s.wait > RA2 o RA1 o PBMH(Pj)) ^ 

I'Dac 

\ (true <3 s.wait > true h s G ac' < s.wait \> RA2 o RA1 o PBMH(Qj)) J 

{Theorem IT. H.3. 21} 

( 


( 

/ (-i true ; A true) 

\ 

\ 

\ 

true < s.wait \> 

V 




V 

\ (RA2 o RAl o PBMH(Pj) 

s.wait A -i true)) / 

J 



h 


( 


( RA2 o RAl o PBMH(F‘ 


s G ac' < s.wait t> 


V 


’.A 


\ (s G ac' < s.wait > true =>■ RA2 o RAl o PBMH( Q/)) / 

{Predicate calculus} 


\\ 
/ 
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( ( 


( (false ; j true ) 


true <3 s.wait > 


V 




V 


\ (RA2 O RA1 O PBMH(P;) false ) / 


\ 


/ 




b 


( 


s G ac' < s.wait \> 


\ 


( RA2 o RAl o PBMH(Pj) \ \ 

iA 

\ (s G ac' <3 s.wait \> RA2 o RAl o PBMH (Qj)) J J 




{Lemma L.F.1.1 and predicate calculus} 


/ 


true < s.wait > -> ( (RA2 o RAl o PBMH(Pj) ^ false 


\ 


b 


( 


( RA2 o RAl o PBMH(P| 


s G ac' < s.wait > 


V 


iA 


\\ 

l) 


\ (s G ac' <3 s.wait > RA2 o RAl o PBMH(<5j)) / 

(Theorem IT.5.2.101 and Lemma IL.G. 1.331} 




true <\ s.wait > 


RA2 o PBMH(P|) A 3 z • s.tr < z.tr A z G ac' J 


’A 


b 


( 


( RA2 o RAl o PBMH (Pi 


s G ac' < s.wait > 


V 


iA 


\\ 

l) 


\ (s G ac' <3 s.wait > RA2 o RAl o PBMH(Q})) / 
(Definition of substitution and predicate calculus} 


/ (true <3 s.wait > -i false) \ 

b 



( 

( RA2 o RAl o PBMH(Pj) \ 

\ 



s G ac' <3 s.wait > 

5 A 



V 


^ (s G ac' <] s.wait > RA2 o RAl o PBMH(Qj)) y 

) 

) 


(Predicate calculus and property of conditional} 


/ true \ 

b 



( 

/ RA2 O RAl O PBMH(Pj) 

\ 

\ 



s G ac' <3 s.wait > 

’A 




\ 

V 

^ (sG ac' <3 s.wait \> RA2 o RAl 

O PBMH(Qj)) J 

J 

/ 


□ 


falsej ^ 


/ 
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Lemma L.H.3.7 


/ RAl o RA2 o PBMH(P) \ 

>A 

y (s G ac <\ c t> RAl o RA2 o PBMH(Q)) J 


=»■ RAl (trite) 


Proof. 

( RAl o RA2 o PBMH(P) \ 

'iA 

y (s G ac < c t> RAl o RA2 o PBMH(Q)) J 
RAl o RA2 o PBMH(P) 

’A 


{Lemma IL.G. 1.141 } 


\ 


(RAl(s G ac) <\ c > RAl o RA2 o PBMH( Q)) J 

{Assumption: c is a condition, and Lemma L.G.1.15 } 

/ RAl o RA2 o PBMH(P) \ 

iA 

\ RAl(s G ac' < c t> RA2 o PBMH( Q)) ) 

{Theorems IT. 5.2. 41 and IT. 5.2. Ill and Lemmas IL.E.4.71 and IL.E.4.91} 


/ RAl o RA2 o PBMH(P) 


= RAl 


= RAl 


\ 


iA 


{Predicate calculus} 


\ RAl(s G ac <3 c > RA2 o PBMH(Q)) J 


/ RAl o RA2 o PBMH(P) 

\ 

\ 

u 


A true 

\ RAl(s G ac <3 c t> RA2 o PBMH(Q)) 

) 

) 


( RAl o RA2 o PBMH(P) 


= RAl 


\ 


iA 


\ RAl(s G ac <3 c > RA2 o PBMH(Q)) J 
RAl (true) 


{Theorem IT. 5.2. 21} 
A RAl (true) 

{Predicate calculus} 


□ 
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H.3.8 Prefixing 

Theorem T.6.4.23 Provided P is AP -healthy, 
a —>■ P 


AP 


f -i (3 y • -i y.wait A y.tr = s.tr ^ (a) A (RA2 o PBMH(Pj))[?//s]) \ 
h 

/ ( y.tr = s.tr A a £ y.ref A y E ad) \ 

3 y • <\y.wait> 

\ (i/ir = sir ^ (a) A RA2 o RA1 o PBMH(F|)[i//s]) ) ) 


Proof. 


a —)-ap P {Definition of prefixing} 

= a — ^AP Skip ap 'iT>ac P {Assumption: P is AP-healthy} 

= a — »ap SkipAP \ Dac AP (P) {Definition of a — >ap Skip ap } 

/ ( y.tr = s.tr A a y.ref ) \ \ 


= AP true h (ef. 


<y.wait> 
y ( y.tr = s.tr ^ (a)) ) 


l'Dac 


AP (P) 




{Lemma IL.H.l.lOl and Theorem IT. H.3.31} 

/ / (PBMH(/afee) \ A true) \ 


= RA 


3N,2 


A 


A 



( 

( 

/ ( y.tr = s.tr A a ^ y.ref) \ 

\ 

\ 


RAl o PBMH 

(&f ' 

Woe' 

<y.wait> 



—1 


V 

y ( y.tr = s.tr ^ (a)) ) 

) 



iA 






\ (-i s.wait A RA2 o PBMH(Pn) 


h 


RAl o PBMH 




s e ad < s.wait > RA2 


( 

/ ( y.tr — s.tr A a ^ y. 

ref) > 

\ 

©L 

<y.wait> 



V 

y ( y.tr = s.tr ^ (a)) 

) 

/ 


/ -i PBMH(Pf) 


\ 


\ (RA1 o PBMH(P})) 

{Lemmas L.E.4.2| and L.F.1.1 and predicate calculus} 
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f 

( 

( 

( ( y.tr = s.tr A a ^ y.ref ) \ 

\ \ 

\ 


RAl 0 PBMH 

(ef, 

V_ s ac' 




—1 

’A 

V 

^ ( y.tr = s.tr ^ (a)) / 

/ 



y (-1 s.wait A RA2 

0 PBMH (Pj)) 

) 



h 


— RA 3 N 2 o A 



( 

( ( y.tr = s.tr A a ^ y.ref) \ \ 

RAl 0 PBMH 

©L 

<f/.i«a££> 



1 

y ( y.tr = s.tr ^ (a)) 

// 

iA 






/ “I PBMH(Py) \ 


s G ac' <\ s.wait > RA2 



V 


\ (RAl 0 PBMH {Pj)) y! 





{Lemmas L.G.7.13 and L.G.7.15 and predicate calculus} 


/ 


— RA 3 N 2 0 A 


(ef / 

wac' 




/ ( y.tr = s.tr A a ^ y. ref ) \ 
<y.wait> 

y ( y.tr = s.tr ^ (a)) ) 


\ 


h 


(e) , 

V_yac' 


y (-1 s.wait A RA2 o PBMH(P|)) ) 

( ( y.tr = s.tr A a ^ y. ) \ 
<y.wait> 

y ( y.tr = s.tr ^ (a)) ) 


\ 


lA 

s G ac! < s.wait \> RA2 

V 


/ -I PBMH(Py) \ 


\ (RA1 o PBMH(Pj)) / 


{Lemma IL.G.7.3TT } 
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— RA 3 n,2 


— RA 3N 2 


/ 


o A 


o A 


( ( (E) y ac ,(y.wait A y.tr = s.tr A a ^ y.ref) \ 
V 

\ ©Ic’i-' y-wait A y.tr = s.tr ~ (a)) / 




5.4 


\ (-i s.wait A RA2 o PBMH(P()) 




h 


/ (E) y ac ,(y.wait A y.tr = s.tr A a ^ y.ref) \ 


V 


V (DL(- A V- tr = s - tr ~ («)) / 


5.4 


/ - PBMHl Pi 


s G ac' <3 s.wait > RA2 


\ 


\ (RA1 o PBMH(P')) / 


/ 


{Lemma IL.F.1.41} 


/ 


/ ((A) y ac ,(y.wait A y.tr = s.tr A a ^ y.re/) \ 


5.4 


\ 


\ (-i s.wait A RA2 o PBMH(P|)) ) 


V 


/ (e)^ ,(-i y.wait A y.tr = s.tr ^ (a)) \ 


V 


5.4 


\ (-i s.wait A RA2 o PBMH(P|)) / 


\ 


h 


/ / (E) y ac ,(y.wait A y.tr = s.tr A a ^ y.ref) 

5.4 


\ 


/ -I PBMH(Pr) 


s 6 ac' < s.wait t> RA2 


V 

V 


\ 


\ (RA1 o PBMH(Pf)) / 




/ (DL(-’ V- wait A y.tr = s.tr ^ (a)) 


5.4 


s 6 ac' < s.wait > RA2 


/ -n PBMH(P( 


\ 


/ 


\ (RA1 o PBMH(Pj)) / 

{Definition of (e) 2/ c , and substitution} 


/ 
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/ / / 3 y • y.wait A y.tr = s.tr A a ^ y.re/ \ \ 

A 


— RA3N 2 o A 


\ (-■ y.wait A RA 2 o PBMH(Fj)[y/s]) j 


V 


V 


\ 


/ 3 y • -1 y.wait A y.tr = s.tr ^ (a) 

A 

^ (-■ y.wait A RA 2 o PBMH(Pj)[y/s]) / 


\ 


h 


/ / 32/ • y.wait A y.tr = s.tr A a ^ y.re/ 
A 


/ -1 pbmh(f| 


y £ ac' <1 y.wait > RA 2 


\ 


[*//«] 


\ (RA 1 o PBMH(Pj)) / 


V 


/ 3y • -1 y.wait A y.tr = s.tr ^ (a) 


V 




A 


/ nPBMH(F{ 


y £ ac' <1 y.wait > RA2 


V 


\ 


b/s] 


\ (RAl o PBMH(Pj)) / 

{Predicate calculus and property of conditional} 
t / 3 y • -1 y.wait A y.tr = s.tr ^ (a) \ \ 


— RA3N 2 o A 


A 


\ (RA2 o PBMH(ff))[y/«] 


/ 


h 


/ (3 y • y.wait A y.tr = s.tr A a ^ y.re/ A y E ac' )\ 
V 

3 y • -1 y.wait A y.tr = s.tr ^ (a) \ 

A 


/ PBMH(P 


RA2 


\ 


[*//«] 


\ (RAl o PBMH(Pi)) / 


y 


y 


y 


{Predicate calculus} 
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— RA 3N 2 


— RA 3N 2 


— RA 3N 2 


/ 


A 


/ 3 y • -i y.wait A y.tr = s.tr ^ (a) \ 


A 


\ (RA2 O PBMH (P f f))[y/s] 


\ 


/ 


b 


f (3 y • y.wait A y.tr = s.tr A a £ y.ref A y E ac' )\ 
V 

/ 3 y • -i y.wait A y.tr = s.tr ^ (a) \ 


V 


V 


A 


\ 


V 


PBMH (Pj) 

RA2 | V 

(RAl o PBMH(F')) ) 


[y/s\ 


/ 


/ 


/ 


/ / 3 y • -i y.wait A y.tr — s.tr r {a 

A 


o A 


\ (RA2 o PBMH(br))[j//s] 


{Theorem IT. 5.2. 71} 


/ 


b 


/ (3 y • y.wait A y.tr = s.tr A a ^ y.re/ A y E ac' )\ 
V 

( 3 j/ • -i y.wait A y.tr = s.tr ^ (a) \ 

A 


/ RA2 o PBMH(F: 




V 


[y/s] 


\ RA2 o RAl o PBMH(Pj) / 


/ 




/ 


A 


/ 3 y • -i y.wait A y.tr = s.tr ^ (a) \ 


A 


\ (RA2 O PBMH (P f f))[y/s] 


{Substitution} 

\ 


7 


b 


( (3 y • y.wait A y.tr = s.tr A a ^ y.re/ A y E ac' )\ 
V 

/ 3 y • -i y.wait A y.tr = s.tr ^ (a) \ 


A 


( RA2 o PBMH {P f f )[y/s\ 


\ 


V 


\ RA2 o RAl o PBMH(Pj)[y/s] / 


/ 


/ 




{Predicate calculus} 
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/ 


— RA 3 N 2 o A 


V 

/ 


— RA 3 N 2 o A 


V 


( (3 y • 

h 


= AP 


/ 


3 y • 


\ \ 


Lemma L.6.4.4 

Proof. 


—> (3 ?/ • —■ y.wait A y.tr = s.tr ^ (a) A (RA2 o PBMH(Pj)) [y/s]) ^ 

h 

(3 y • y.wait A y.tr = s.tr A a ^ y.re/ A y £ ac') 

V 

(3 y • -> y.wait A y.tr = s.tr ^ (a) A RA2 o PBMH(Pj) [y/s]) 

V 

(3 y • -i y.wait A y.tr = s.tr ^ (a) A RA2 o RA1 o PBMH(P|)[y/s]) / 
{Definition of design and predicate calculus} 

-i (3 y • -i y.wait A y.tr = s.tr ^ (a) A (RA2 o PBMH(Pj)) [y/s]) ^ 

h 

(3 y • y.wait A y.tr = s.tr A a ^ y.ref A y G ac') 

V 

(3 y • -i y.wait A y.tr = s.tr ^ (a) A RA2 o RA1 o PBMH(P})[y/s]) / 

{Predicate calculus} 


-i y.wait A y.tr = s.tr ^ (a) A (RA2 o PBMH(F|))[y/s]) ^ 


(y.tr = s.tr A a y.ref A y E ac') \ 

<y.wait> 


(y.tr = s.tr"' (a) A RA2 o RA1 o PBMH(P|)[y/s]) / 


/ 


□ 


HI (a — >rad Skipu.Au) — a -^ap Skip ap 


HI (a -Arad Skip had) 




f 


/ (y.tr = s.tr A a ^ 

HI 0 

RA 0 A 

true h (G) y , 

vyac' 

<y.'/ra?‘t[> 



V 


y ( y.tr = s.tr ^ (a)) 


f 


/ (y.tr = s.tr A a ^ y.ref) \ \ 

AP 

true h (ef , 
v_yac' 

<y.u>azt> 


V 


\ (y.tr = s.tr"'(a)) jj 


{Definition of a — )-rad ®Prad} 






{Lemma IL.H.2.21} 


{Definition of a — >ap Skip ap} 


— a —^ap Skip ap 


□ 
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Lemma L.6.4.5 RAl(a — >ap Skip ap ) = a ->rad Skipn ad 

Proof. 


RAl(a — ^ap Skip ap) 

( 

= RAlo AP 


= RA o A 


= RA o A 


= RA o A 


{Definition of a — )-ap Skip ap } 
( y.tr — s.tr A a ^ y.ref) \ \ 

true b (Gf ar , | 

( y.tr = s.tr ^ (a)) 


/ 


/ 


{Theorem IT. 6.3. 21} 


/ 

( 

/ (y.tr = s.tr A a fi y.ref) \ \ 


true b (D y ac , 

<y.wait> 


V 

\ (y.tr = s.tr"' (a)) )) 

b 



( 

( (y.tr = s.tr A a y.ref) \ \ 


true b (|)" c , 

<y.wait> 

V 

V 

y (y.tr = s.tr"' (a)) /) 


\ 


7 


truej 
b 

/ 

e)* 

a 

\ 

( truej 
b 




/ (y.tr = s.tr A a y.ref) \ \ 
<y.wait> 

y ( y.tr = s.tr ^ (a)) 


{Lemma IL.A.2.161 } 


{Substitution} 


>>s) 

\ 


( ( y.tr = s.tr A a ^ y.ref) \ 
^ ( y.tr = s.tr ^ (a)) ) 


/ 

{Definition of a — >rad ST^Prad} 


— a ^rad SkippAD 


B 


Lemma L.6.4.6 

a —>ap ChaosCSPAP 

AP(-' (D V ac ,(s.tr ~ (a) < y.tr) b (ef ac ,(y.wait A y.tr = s.tr A a (£ y.ref)) 
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Proof, 
a ->ap 

= AP 

= AP 

= AP 

= AP 


= AP 


ChaosCSPAP {Theorem |T.6.4.23] and definition of Chaos CSPap } 

/ -i (3 y • -i y.wait A y.tr = s.tr ^ (a) A (RA2 o PBMH o RAl (true))[y / s]) \ 


b 


3 y 


/ ( y.tr = s.tr A a y.ref A y G ac') 


\ 


/ 


y ( y.tr = s.tr ^ (a) A RA2 o RAl o PBMH(te)[j//s]) J 

{Lemma IL.H.3.91} 

f —> (3 ?/ • —■ y.wait A y.tr = s.tr ^ (a) A (RA2 o RAl(bue))[i//s]) ^ 
b 

(y.tr = s.tr A a ^ ?/.re/ A y e ac') ^ 

3 ?/• | 

(y.tr = s.tr ^ (a) A RA2 o RAl o PBMH(te)[i//s]) / 

{Lemma IL.E.4.51} 

-i (3 y • -i y.wait A y.tr = s.tr ^ (a) A (RA2 o RAl(true))[?//s]) \ 

b 

/ (y.tr — s.tr A a ^ ?/.re/ A y G ac') \ 

<ly.wazY[> 

^ (y.tr = s.tr ^ (a) A RA2 o RAl (true) [?//s]) / 

{Theorem IT. 5.2.101 and Lemma IL.G.2.41} 

^ -i (3 y • -i y.wait A ?/.ir = s.tr ^ (a) A (RAl(irae))[j//s]) ^ 
b 

/ (y.tr = s.tr A a ^ ?/.re/ A y e ac') \ 

<]y.u;ai£> 

^ (y.tr = s.tr ^ (a) A RAl(tnze)[?//s]) / 


3?/ 


/ 


3?/ 


/ 

{Lemma IL.G.l.lOl } 


/ / 3y • ^ y.wait A y.tr = s.tr r {a 

-> A 

\ (3 z • s.tr < z.tr A z £ ac')[y/s\ J 


\ 


b 


3 ?/ 


/ (y.tr = s.tr A a ^ 7/.re/ A y E ac') \ 
<y.wa#> 

/ y.tr = s.tr ^ (a) \ 

A 

\ \ (3 z • s.tr < z.tr A z G ac')[?//s] / ) 


{Substitution} 
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= AP 


= AP 


= AP 


? / 3 y • -i y.wait A y.tr = s.tr ^ (a) \ \ 

A 

\ (3 z • y.tr < z.tr A z £ ac') 


h 


3y 




/ 


( y.tr = s.tr A a ^ y.re/ A y E ac' )\ 
< y.wait > 

/ y.tr = s.tr ^ (a) \ 

A 

\ (3 z • y.tr < z.tr A z G ac') / 


y 


? / 3 y • -i y.wait A y.tr = s.tr ^ (a) \ 

A 

y (3 z • s.tr ^ (a) < z.tr A z G ac') / 


{Transitivity of equality} 

\ 


h 


3 y 


( ( y.tr = s.tr A a ^ y.ref A y E ac') \ 
<y.wait> 

/ y.tr = s.tr ^ (a) \ 

A 

y (3 z • s.tr ^ (a) < z.tr A z G ac') / 


? / 3 y • -i y.wait A y.tr = s.tr ^ (a) ^ 

A 


y 


y 


{Predicate calculus} 

\ 


(3 z • s.tr ^ (a) < z.tr A z G ac') / 


h 


( (3 y • y.wait A y.tr = s.tr A a ^ y.re/ A y G ac' >\ 
V 

/ 3 y • -i y.wait A y.tr = s.tr ^ (a) \ 


V 


A 


\ (3 z • s.tr ^ (a) < z.tr A z G ac' >y 


y 


y 


{Predicate calculus} 
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( ( (3 y • -i y.wait A y.tr = s.tr 


= AP 


A 


\ 


\ (3 z • s.tr ^ (a) < z.tr A z E ac') / 


h 


f (3 y • y.wait A y.tr = s.tr A a ^ y.re/ A y E ac' )\ 
V 

/ (3 y • -i y.wait A y.tr = s.tr ^ (a)) \ 


V 


V 


A 


\ (3 z • s.tr ^ (a) < z.tr A z G ac') / 


/ 


/ 


= AP 


{Predicate calculus} 


= AP 


/ -i (3 z • s.tr ^ (a) < z.tr A z E ac') 
h 

/ (3 y • y.wait A y.tr = s.tr A a ^ y.ref A y E ac' )\ 

V 

\ \ (3 z • s.tr ^ (a) < z.tr A z E ac') ) ) 

{Definition of design and predicate calculus} 

( -i (3 z • s.tr ^ (a) < z.tr A z E ac') ^ 

h 

\ (3 y • y.wait A y.tr = s.tr A a ^ y.ref A y E ac') ) 


{Definition of (E) V ac ,} 


( -, (DL( s - ir ~ (a) < V-tr) 


= AP 




h 


V © V A y.tr = s.tr A a y.ref) ) 


□ 


Lemma L.H.3.8 a —s-ap ChaosAP = ChaosAP 


Proof. 


a —s-ap ChaosAP {Definition of ChaosAP and Theorem |T.6.4.23 } 

/ —> (3 ?/ • — 1 y.wait A y.tr = s.tr ^ (a) A (RA2 o PBMH(true))[|//s]) \ 


= AP 


h 


3 y 


f ( y.tr = s.tr A a ^ y.ref A y E ac') 


\ 


<y.wait> 

\ ( y.tr = s.tr ^ (a) A RA2 o RA1 o PBMH(tnxe)[y/s]) ) 

{Theorem IT. 5.2.101 } 


7 
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= AP 


= AP 


( —i (3 ?/ • —■ y.wait A y.tr = s.tr ^ (a) A (RA2 o PBMH(true))[j//s]) \ 
b 

/ ( y.tr = s.tr A a ^ y.ref A y e ac ') \ 

3 y <]y.wait> 

\ \ ( y.tr = s.tr ^ (a) A RAl o RA2 o PBMH (true)[y/s\) ) ) 

{Lemmas IL.E.4.51 and IL.G.2.41} 

f -i (3 y • -i y.wait A y.tr = s.tr ^ (a) A (true)[y/s\) \ 
b 

( ( y.tr = s.tr A a ^ y.re/ Aye ac ') \ 

3 y 


/ 


= AP 


<1 y.wait D> 

\ (y.tr = s.tr ^ (a) A RAl (true) [y/s]) J 

{Substitution and predicate calculus} 

( -> (3 y • -i y.wait A y.tr = s.tr ^ (a)) \ 

b 

(y.tr = s.tr A a ^ y.re/ Aye ac') \ 

<y.wazt> 

(y.tr = s.tr ^ (a) A RAl (trite) [y/s]) / 


3 y 


/ false 
b 


= AP 


/ 


\ 


{Predicate calculus} 


3 y 


V 


7 


/ (y.tr = s.tr A a y.ref Aye ac') \ 

<y.wait> 

\ (y.tr = s.tr ^ (a) A RAl (true) [y/s]) J 

{Definition of design and predicate calculus} 

AP (false b true) {Definition of Chaos ap} 

ChaosAP 


□ 


Lemma L.H.3.9 PBMH o RAl (true) = RAl (true) 
Proof. 


PBMH o RAl (true) {Lemma IL.G.l.lOl } 

= PBMH(3 z • s.tr < z.tr A z e ac') {Definition of PBMH (Lemma |L.4.2. 3) 
= 3 aco • (3 z • s.tr < z.tr A z e ac')[aco/ac'] A aco C ad {Substitution} 

= 3 ac 0 • 3 z • s.tr < z.tr A z e ac 0 A ac 0 C ac' {Predicate calculus} 
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= 3 z • s.tr < z.tr A 3 ac 0 • z E ac 0 A ac 0 C ac' 
= 3 z • s.tr < z.tr A z E ac' 

= RA1 (true) 


{Property of sets} 
{Lemma IL.G.l.lOl } 


□ 


Linking 

Theorem T.H.3.5 


HI (a -Arad SkipRAo) 


( 


AP 


true h (E)l . 


V 


/ ( y.tr = s.tr A a ^ y.ref ) \ 
<y.wait> 

y ( y.tr = s.tr ^ (a)) 


\ 


Proof. 

HI (a -Arad SkipRAo) 


{Definition of a Arad S^Prad} 



( 

/ (y.tr = s.tr A a ^ y 

ref) ^ 

\ 

HI o RA o A 

true h (E) y ac , 

<y.wait > 




V 

y (y.tr = s.tr ^ (a)) 

) 

/ 


{Lemma IL.H.2.21} 


( y.tr = s.tr A a y.ref) \ 


= AP true h (E) J nr , <y.wait> 


( y.tr = s.tr ^ (a)) ) 


\ 




U 


Theorem T.H.3.6 

H3 oHl(o Arad Skip-R, ad) 

( 

true h s E ac' <\ s.wait > (E) y . 

V 


/ (y.tr = s.tr A a ^ y.ref) \ \ 
<y.wait> 

y (y.tr = s.tr ~ (a)) )) 
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Proof. 

H3 oHl(a ^rad SkipnAo) 

( 


= H3 o HI o RA o A 


true b (e);' 


{Definition of a ->rad ®Prad} 
( ( y.tr = s.tr A a ^ y.ref ) ^ \ 

<y.wait> 


V 


\ ( y.tr = s.tr ^ (a)) ) 




l 


true b 


/ s E ad 
<s.wait> 

RA1 o RA2 o PBMH 


{Lemma IL.H.2.31} 

\\ 


/ 


/ ( y.tr = s.tr A a y.ref ) \ 


\ 




/ 


true b s e ac' <1 s.wait > (&) y , 


<y.wait> 

V V (y.tr = s.tr" (a)) JJ 

{Lemma IL.G.7.261 } 

/ ( y.tr = s.tr A a y.ref) \ \ 

<y.wait> 


V 


\ ( y.tr = s.tr ^ (a)) ) 




□ 






















Appendix I 


Set Theory 


Lemmas 

Lemma L.1.0.10 

ac 0 C {s | {s} = aci} = ac 0 C ac\ A ac 0 C {s | ac\ C {s}} 

Proof. 

ac 0 C {s | {s} = aci} {Definition of subset inclusion} 

= Vx • x G aco =>■ x G {s | {s} = aci} {Property of sets} 

= V x • x G aco {a:} = aci {Property of sets} 

= \/x • x G ac 0 => ({a:} C aci A aci C {a;}) {Property of sets} 

= \/x • a; G ac 0 =>■ (x G ac\ A aci C {a;}) {Predicate calculus} 

= (Vx • x £ ac 0 a: 6 aci) A (Va: • x G ac 0 aci C {a;}) {Property of sets} 

= (Vx • x G aco => x E ac \) A (Va: • x G aco =>■ x G {s | aci C {s}} 

{Definition of subset inclusion} 

= aco C aci A aco C {s | ac\ C {s}} 

□ 

Lemma L.1.0.11 

aco C {s | ac\ C {s}} = aci C {s | aco C {s}} 
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Proof. 


ac 0 C (s aci C {s}} 

(Definition of subset inclusion} 

= Vx • x E ac 0 =>■ x E (s aci C (s}} 

(Property of sets} 

= V x • x E ac 0 => aci C {a;} 

(Definition of subset inclusion} 

= \/x • x E aco => (V y • y E ac\ =>■ y E {a:}) 

(Property of sets} 

= V x • x E aco =>■ (V y • y E ac\ =>■ y = x) 

(Predicate calculus} 

= Vx, y • x E aco (y E ac\ => y E y = x) 

(Predicate calculus} 

= V x, y • x E ac 0 A y E ac\ =>■ ?/ = x 

(Predicate calculus} 

— V x, y • y E aci (a: G ac 0 =>- y — x) 

(Predicate calculus} 

= V y • y E aci =>■ (V x • x E ac 0 => y = x) 

(Property of sets} 

= Vy • y E aci => (\/x • x E aco ^ x E {?/}) 

(Definition of subset inclusion} 

= \/ y • y E aci^ ac 0 T {y} 

(Property of sets} 

= V y • y E aci => y E {s \ ac 0 {s}} 

(Definition of subset inclusion} 

= aci C (s aco C {s}} 

□ 

Lemma L. 1. 0.12 


aco C (s | aco C ac'} = aco = 0 V aco C ac' 


Proof. 


ac 0 C (s | ac 0 C ac'} 

= W x • x E ac 0 => x E (s | ac 0 C ac'} 
= W x • x E ac 0 => ac 0 C ac' 

= V x • (x ^ aco V aco C ac') 

= (\/ x • x f: aco) V aco C ac' 

= aco = 0 V aco C ac' 


(Definition of subset inclusion} 
(Property of sets} 
(Predicate calculus} 
(Predicate calculus} 
(Property of sets} 

□ 


Lemma L.1.0.13 Provided v is not s 
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Proof. 


3 v • t C {s <5} 

{Property of sets, x is fresh} 

= (Vs* r e i =» (3s» () A r = s)) 

{Predicate calculus} 

^Vs*(3s*sei^(3s*(}As = s)) 

{Predicate calculus} 

= Vs*s6i^(3t;*(3s*QAs = s)) 

{Predicate calculus: v is not s} 

= Vs • i 6 f (3 s* (3v • Q) A s = s)) 

{Property of sets} 

= Vs*s6 i^se {s 3v« Q} 

= t C {s 3 v • Q} 

{Property of sets} 


□ 


Lemma L.1.0.14 Provided ^ is transitive, 

xPy/\ACi{z\yPz/\xPz/\e} = xPy/\AC-{z\yPz/\e} 


Proof. 

xPy/\A(l{z\xPz/\e} {Property of sets} 

= x P y A V z • z G A =>■ (y P z A x ■< z A e) {Predicate calculus} 

= V2:»j:8|/A(zeyl4(i/8zAi^zAe)) 

{Predicate calculus: ■< is transitivite} 

= y z • x P y /\ (z E A (y P z /\ e)) {Predicate calculus} 

= x ^ y A V z • z G A =>■ (y ^ 2 A e) {Property of sets} 

= s^i/AdC{z|j/^zAe} 


□ 


Lemma L.1.0.15 

3B.5/0ABC C<* <7^0 

Proof. (Implication) By contradiction: Suppose the consequent is false yet the ante¬ 
cedent is true. Then (7 = 0. 


3B.5/0ABC7 

=35.B^0A5C0 


{Assumption: (7 = 0} 
{Property of subset inclusion} 
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= 35*5^0A5 = 0 {Propositional calculus} 

= false 


□ 


Proof. (Reverse implication) 

C / 0=^3B»B^0ABC C 
= (7^0^C'^0ACc(7 

= true 


{Choose B = C} 
{Reflexivity of subset inclusion} 
{Propositional calculus} 


□ 


Lemma L.1.0.16 

3 aco • s E aco A aco C ad AA s E ad 


Proof. (Implication) 


3 aco • s E aco A aco C ad {Definition of subset inclusion} 

= 3 ac 0 • s E ac 0 A (V z • z E ac 0 => z E ad) 

{Assume s E aco then there is a case when z = s} 

= 3 ac 0 • s E ac 0 A (V z • z E ac 0 z E ad) A (s G ac 0 => s E ad) 

{Assume s E aco and propositional calculus} 


=>■ s E ad 


□ 


Proof. (Reverse implication) 


s E ad =>■ (3 aco • s E aco A aco C ad) {Choose aco = ac'} 

— (s E ad) =>■ (s G ad A ad C ad) 

{Reflexivity of subset inclusion and propositional calculus} 


= true 


□ 
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Lemma L.1.0.17 Provided that P[y/z\ holds, 

{z\ P A z — y • Q} — {Q[y/z}} 

Proof. 

{Property of sets} 
{Property of sets} 
{One-point rule} 
{Assumption: P[y/z] holds} 
{Property of sets} 


{z \ P A z = y • Q} 

= {x\xe{z\PAz = y» Q}} 
= {x\3z»PAz = yAx=Q} 
= {x | P[y/z] Ax = Q[y/z ]} 

= {x\x= Q[y/z]} 

= {Qb/A} 


□ 
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Appendix J 

Definitions: Alphabets and 
Healthiness Conditions 


J.l Binary Multirelations 


Definition 11 


BM = State G> P State 


J.1.1 Healthiness Conditions 


Definition 12 


BMH = Vs, ss 0 , ssi • ((s, ss 0 ) G B A ss 0 C ssi) =>■ (s, ssi) G B 


J.2 Designs 

J.2.1 Alphabet 

ok, ok' : {true, false} 


J.2.2 Healthiness Conditions 


Definition 26 (HI) H1(P) = ok P 


Definition 27 (H2) H2(P) = [P[false/ok/] P[true/ok']\ 


Definition 30 (H3) H3(P) = P ; H 


v 


Definition 31 (H4) P ; true = true 
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J.3 Reactive Processes and CSP 

J.3.1 Alphabet 

ok, ok', wait, wait' : {true, false} 
tr, tr' : seq Event 
ref, ref : P Event 

J.3.2 Healthiness Conditions 
Definition 

R1(P) = P A tr < tr' 

R2(P) = P[(), tr' — tr/tr, tr'} 

R3 (P) = A rea < wait > P 
R(P) = R3 o R1 o R2(P) 

Definition [58] 

CSP1(P) = P V Rl(- ok) 

CSP2 (P) = P ; ((ok ok') A tr' = tr A ref = ref A wait' = wait ) 


J.4 Extended Binary Multirelations 

Definition 1661 


State _l == State U {_L} 
BM± == State -H- P State± 


J.4.1 Healthiness Conditions 


Definition 67 (BMHO) 


V s, ss 0 , ssi • ((s, ss 0 ) G B A ss 0 C ssi A (1 G ss 0 _L G ssi)) (s, ssi) G B 


Definition [68] (BMH1) V s : State, ss : P State± • (s, ssU{_L}) G B =$■ (s, ss) G B 
Definition [69] (BMH2) V s : State • (s, 0) G B (s, {-L}) G B 




J.5. ANGELIC DESIGNS 


855 


Definition 70 (BMH3) 


V s : State • (s, 0) ^ B =>■ (V ss : P State± • (s, ss) £ B - L ^ ss) 


J.5 Angelic Designs 

J.5.1 Alphabet 

Definition 1851 

s : State(Sa) 
ac f : P State(Sa) 
ok, ok' : {true, false} 
State(Sa) = {x, e \ x £ So} 


J.5.2 Healthiness Conditions 


Definition 87 


A0(P) = P A ((ok A -i pf) =>- (oA/ =► ac' ^ 0)) 


Definition 88 


PBMH(P) = P ; ac C ac' A ok' 


ok 


Definition 89 


Definition 90 


Definition 91 


A1(P b Q) = (-. PBMH(-i P) b PBMH( Q)) 
A(P) = AO o A1(P) 

A2(P) = PBMH(P {s} = ac') 


J.6 Reactive Angelic Designs 

J.6.1 Alphabet 

Definition 11071 


ok, ok' : {true, false}, s : State({tr, ref, wait}), ac 1 : P State({tr, ref, wait}) 


J.6.2 Healthiness Conditions 


Definition 109 


RA1(P) = (PA ac' ®)[Statestr<tr'(s) fl ac' / ad] 
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Definition ll 101 


RA2(P) = P 


s®{tr i—>• ()}, z 


z G ac' A s.tr < z.tr 
• z © {tr i->- z.tr — s.tr} 


Definition 112 RA3(P) = Trad <1 s.wait > P 


Definition 113 RA(P) = RA1 o RA2 o RA3(P) 


Definition 114 CSPAl(P) A p v RAl(-> ok) 


Definition 115 CSPA2(P) A H2(P) 


Definition 116 RAD(P) A RA o CSPA1 o CSPA2 o PBMH(P) 


Definition 126 NDrad(^) = PUrad Choice^AD 


J.T Angelic Processes 


J.7.1 Healthiness Conditions 


Definition 127 


Definition 129 


Definition 130 


AP(P) A RA3 A p o RA2 oAofflo CSPA2(P) 
RA3ap (P) A JTap <3 s.wait > P 
NDap(-P) = Choice ap Uap P 
















Glossary 


ACP Algebra of Communicating Processes 

ASM Abstract State Machine 

BNF Backus-Naur Normal Form 

CCS Calculus of Concurrent Systems 

CSP Communicating Sequential Processes 

FCD Free Completely Distributive 

FDR Failures-Divergence Refinement 

FSM Finite State Machines 

JCSP Java Communicating Sequential Processes 

LTS Labelled Transition System 

SOS Structured Operational Semantics 

UTP Unifying Theories of Programming 

VDM Vienna Development Method 

ZRC Z Refinement Calculus 
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